Class X8OrganizationSetup

Construct to set up organizational hierarchy in management account based on best practice recommendations. Best practice recommendation is to use management account for all the management related tasks and have a separate member account for each of your application. X8OrganizationSetup construct will do the following tasks.

  • Create root Org and attach several policies to restrict member accounts from performing certain tasks.
  • Create organizational unit hierarchy

    SecurityOU [ProductionSecurityOU, DevelopmentSecurityOU]

SecurityOU is used to group security related accounts such as logs and cloudtrail events from all the accounts, only security team has view only access to it.

InfrastructureOU

InfrastructureOU is used to group infrastructure related accounts such as network etc that are shared between all member accounts

WorkloadsOU

WorkloadsOU is used to group all the application workloads.

QuarantineOU

QuarantineOU is used to group all the deleted accounts

  • This construct also provides several policies that can be used with OUs.
  • Each workload is added under WorkloadsOU and for each one it will create DeploymentOU, DevelopmentOU and ProductionOU
  • Default Policies applied to Root Org
  1. Prevent root users in member accounts from making API calls
  2. Prevent member accounts from leaving organization
  3. Prevent AWS AI services from using data
  4. Prevent users in member account from making changes to cloud trail

Default Alarms

Examples

Default Usage

new X8OrganizationSetup(this, "LogicalId", {
    x8DomainName: 'cre8ivelogix.com',
    x8AccountEmail: 'info@cre8ivelogix.com,
    x8CompanyName: 'CRE8IVELOGIX'
});

Custom Configuration

new X8OrganizationSetup(this, "LogicalId", {
    x8DomainName: 'cre8ivelogix.com',
    x8AccountEmail: 'info@cre8ivelogix.com,
    x8CompanyName: 'CRE8IVELOGIX',
    x8DoNotCreateAccounts: true
});

Compliance

It addresses the following compliance requirements

Hierarchy

  • Construct
    • X8OrganizationSetup

Constructors

constructor

Properties

devLogArchiveAccount? developmentSecurityOU infrastructureOU networkAccount? prodLogArchiveAccount? prodSecurityOU quarantineOU rootOrg securityOU sourceCodeAccount? workloadsOU

Methods

enablePolicyTypes

Constructors

constructor

Properties

Optional Readonly devLogArchiveAccount

devLogArchiveAccount?: Account

AWS member account for collecting logs from development accounts

Readonly developmentSecurityOU

developmentSecurityOU: OrganizationalUnit

Security Organizational Unit for Development accounts

Readonly infrastructureOU

infrastructureOU: OrganizationalUnit

Infrastructure Organizational Unit

Optional Readonly networkAccount

networkAccount?: Account

AWS member account for network related infrastructure such as Route53 HostedZone etc

Optional Readonly prodLogArchiveAccount

prodLogArchiveAccount?: Account

AWS member account for collecting logs from production accounts

Readonly prodSecurityOU

prodSecurityOU: OrganizationalUnit

Security Organizational Unit for Production accounts

Readonly quarantineOU

quarantineOU: OrganizationalUnit

Quarantine Organizational Unit, for deleted accounts

Readonly rootOrg

rootOrg: Organization

Root Organization

Readonly securityOU

securityOU: OrganizationalUnit

Security Organizational Unit

Optional Readonly sourceCodeAccount

sourceCodeAccount?: Account

AWS member account for source code git repository of all the applications.

Readonly workloadsOU

workloadsOU: OrganizationalUnit

Workloads Organizational Unit, to group all the application workloads

Methods

Private enablePolicyTypes

  • Parameters

    • rootOrg: Organization

    Returns void

Settings

Member Visibility

Theme

Generated using TypeDoc