AWS Organizations

AWS Organization Pending Invites

Risk Level: Low

Description

This plugin Ensures all Organization invites are accepted. The invites should be accepted or rejected without delay so that member accounts can take complete advantage. Amazon Organizations all features must be enabled to gain central control over the use of AWS services across multiple AWS accounts (using Service Control Policies) in order to help you comply with the security and compliance policies within your company.

About the Service

AWS Organizations: AWS Organizations helps organize and control multiple AWS accounts of your organization under the same service. As per the AWS documentation, it also gets integrated with other AWS services so you can define central configurations, security mechanisms, audit requirements, and resource sharing across accounts in your organization.

Impact

AWS Organizations provide required control to manage and audit resource usage across multiple accounts. It is recommended that AWS Organization is in use for your account with “All Features Enabled” to make sure your organization is following compliance standards.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the Amazon Organizations Console. You can use this link (https://console.aws.amazon.com/organizations/) to navigate directly if already logged in. 
  3. Move to the Invitations page under AWS Accounts.
  4. A list of invitations will appear. If any of the invitations has the status “Pending”, then the vulnerability exists.
  5. Repeat steps for all the accounts you wish to examine.

 

Steps for Remediation

Delete all pending invites for longer duration. Make sure you have ‘organizations:ListHandshakesForOrganization’, ‘organizations:DescribeOrganization’ and ‘organizations:CancelHandshake’ permissions before doing the changes.

  1. Log In to your AWS Console.
  2. Open the Amazon Organizations Console. You can use this link (https://console.aws.amazon.com/organizations/) to navigate directly if already logged in. 
  3. Move to the Invitations page under AWS Accounts.
  4. A list of invitations will appear. Select the vulnerable invitation by clicking on the radio button next to it. Click on Cancel Invitation.