Risk Level: Low
Description
This plugin ensures all Organization features are enabled. Amazon Organizations all features must be enabled to gain central control over the use of AWS services across multiple AWS accounts (using Service Control Policies) in order to help you comply with the security and compliance policies within your company.
About the Service
AWS Organizations: AWS Organizations helps organize and control multiple AWS accounts of your organization under the same service. As per the AWS documentation, it also gets integrated with other AWS services so you can define central configurations, security mechanisms, audit requirements, and resource sharing across accounts in your organization.
Impact
AWS Organizations provide required control to manage and audit resource usage across multiple accounts. It is recommended that AWS Organization is in use for your account with “All Features Enabled” to make sure your organization is following compliance standards.
Steps to Reproduce
Using AWS Console-
- Log In to your AWS Console.
- Open the Amazon Organizations Console. You can use this link (https://console.aws.amazon.com/organizations/) to navigate directly if already logged in.
- Move to the Settings page.
- Check the features section. If all features are not enabled, the vulnerability exists.
- Repeat steps for all the accounts you wish to examine.
Steps for Remediation
Enable all AWS Organizations features. Make sure you have ‘organizations:EnableAllFeatures’ and ‘organizations:DescribeOrganization’ permissions before doing the changes.
- Log In to your AWS Console.
- Open the Amazon Organizations Console. You can use this link (https://console.aws.amazon.com/organizations/) to navigate directly if already logged in.
- Move to the Settings page.
- Click on Begin Process. You will be required to accept an acknowledgement, then click on Begin Process. The invites will be sent to other accounts as well for enabling “All Features”.