All news with #aws organizations tag

AWS Tag Policies: Validate and Enforce Required Tags

🔒 AWS Organizations Tag Policies introduces Reporting for Required Tags, a validation check that ensures IaC deployments include mandatory tags. You define a tag policy specifying required keys and enable validation for CloudFormation, Terraform, or Pulumi workflows. Validation is implemented by activating the AWS::TagPolicies::TaggingComplianceValidator Hook in CloudFormation, adding plan-time checks in Terraform, or enabling the aws-organizations-tag-policies policy pack in Pulumi. The feature is available via the AWS Management Console, AWS CLI, and AWS SDK in supported Regions.

AWS Channel Partner Billing Transfer for Reselling Services

🧾 AWS Channel Partners in the Solution Provider and Distribution programs can now resell AWS services using Billing Transfer. This capability allows partners to assume financial responsibility for customer AWS Organizations while customers retain full control of their management accounts. Partners centrally manage billing and payments, receive eligible program benefits on partner-delivered bills, and can use new Partner Central APIs for channel reporting and incentive qualification.

Amazon Inspector: Org-wide Management via AWS Organizations

🔒 Amazon Inspector can now be enabled, configured, and managed centrally across your AWS Organization using a new Inspector policy type in AWS Organizations. Administrators designate a delegated admin, enable the Inspector policies policy type, and create policies that specify scan types (Amazon EC2, ECR, Lambda standard, Code Scanning, Code Security) and Regions. Once attached to a root, OU, or account, the policy automatically enables Inspector for all covered accounts — including new accounts that join or move into covered OUs — ensuring consistent vulnerability scanning coverage and reducing operational overhead.

AWS Organizations Enables Direct Account Transfers

🔁 AWS Organizations now supports direct transfers of accounts between organizations, removing the prior need to convert an account to a standalone entity during moves. The simplified transfer preserves governance controls, consolidated billing, and account settings and uses the same console and APIs (invite and accept). This capability is available in all commercial AWS Regions and the AWS GovCloud (US) Regions.

Defense-in-Depth: Building an AWS Control Framework

🔒 This post outlines a practical, layered approach to reduce risk in AWS by moving beyond detective-only controls to a comprehensive defense‑in‑depth control framework. It recommends combining preventative, proactive, detective, and responsive controls across the resource lifecycle and illustrates how AWS services such as AWS Control Tower, AWS Organizations, Security Hub, and AWS Config enable that strategy. The guidance covers concrete patterns—from SCPs, RCPs and policy‑as‑code in CI/CD to automated remediation via Lambda and Systems Manager—to scale governance, reduce findings, and shorten remediation time.

AWS Organizations SCPs Now Support Full IAM Language

🔐 AWS announced that AWS Organizations service control policies (SCPs) now support the full IAM policy language, adding features such as NotAction, NotResource, resource-level Allow statements, conditions in Allow, and more flexible action wildcards. The update is available across AWS commercial and GovCloud (US) Regions. These changes simplify permission models, reduce prior workarounds (such as tagging-based exceptions), and make SCPs more expressive and concise. AWS recommends careful wildcard use and continuing to prefer explicit Deny statements for robust controls.

AWS Organizations Adds Full IAM Policy Language to SCPs

🔐 AWS Organizations now supports the full IAM policy language for service control policies (SCPs), allowing administrators to use conditions, individual resource ARNs, and the NotAction element with Allow statements. You can also apply wildcards at the beginning or middle of Action strings and use the NotResource element for finer scoping. These enhancements let teams create more concise and precise organizational guardrails to enforce least-privilege across accounts. The change is backward compatible and available in all AWS commercial and AWS GovCloud (US) Regions.

CloudWatch Cross-Account Cross-Region Log Centralization

🔁 Amazon CloudWatch now supports cross-account, cross-region log centralization, allowing customers to copy log data from multiple AWS accounts and regions into a single destination account and integrate with AWS Organizations. Copied log events are enriched with new system fields (@aws.account and @aws.region) to preserve source context, and administrators can scope rules to the entire organization, selected OUs, or specific accounts. The feature supports selective log-group copying, automatic merging of same-named groups, optional backup-region copies, and includes one free centralized copy with additional copies billed at $0.05/GB.

AWS Organizations adds Account State field for members

🛈 AWS Organizations introduces a new State field in the console and APIs (DescribeAccount, ListAccounts, ListAccountsForParent) to provide more granular lifecycle visibility for member accounts. The console Status field has been replaced by State, while both Status and State remain available in APIs until September 9, 2026. New state values include SUSPENDED, PENDING_CLOSURE, and CLOSED (within the 90-day reinstatement window). Customers should update account vending pipelines and governance integrations to reference State before the Status deprecation date.

AWS Adds VPC Endpoint Organization-Based Policy Keys

🔐 AWS introduced three new global IAM condition keys—aws:VpceAccount, aws:VpceOrgPaths, and aws:VpceOrgID—to simplify network-origin access controls across multiple accounts and OUs. These keys let administrators restrict resource access based on the account, organizational unit path, or organization that owns the VPC endpoint used for a request, reducing the need to enumerate VPC or VPC endpoint IDs. Example use cases include S3 bucket policies and centrally applied RCPs or SCPs to enforce corporate network perimeters and intra-organization segmentation; adoption depends on service support and testing prior to production rollout.