Enable All Features

Risk Level: Medium (should be achieved)

Rule ID: Organizations-002

Ensure that All Features is enabled within your Amazon Organizations to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). An SCP is a type of organization control policy that can be used to restrict what users and even administrators can do in affected AWS accounts. For example, the master account from an organization can apply SCPs that can prevent member accounts from leaving the organization. A Service Control Policy is similar to an IAM access policy except the SCP does not grant any access permissions but instead it acts like a filter that allows only the specified services and actions to be used within the organization. SCPs make use of whitelisting and blacklisting methods to filter the permissions that are available to member accounts. When whitelisting is used, you can explicitly specify the access that is allowed and all other access is implicitly blocked. When blacklisting is used, you can explicitly specify the access that is not allowed and all other access is granted.

This rule can help you with the following compliance standards:

APRA
MAS
NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

To demonstrate how AWS Organizations Permission Model and SCPs work, please consider the following example:
To make sure that only the given set of services is accessible within your AWS account you should create an "Allow" policy using whitelisting to grant access only to the necessary services (in this case AWS EC2, RDS, S3, Glacier and DynamoDB). To keep this example simple, you can attach a "Corporate" Service Control Policy (SCP) to your entire organization and assign it to the root. As the root is the top element of an organization’s tree, SCPs applied to the tree apply to every member/linked account within the organization.
Now create a "Production" Organizational Unit (OU) to place the member/linked accounts. All these accounts should have two SCPs, named "CloudConformity Company" and "Corporate", applied to them. In this example, SCPs apply the more restrictive intersection of the two policies to the member accounts within "Production" OU. If the "CloudConformity Company" SCP allows EC2, RDS, S3, Glacier, DynamoDB, Lambda, Redshift and Kinesis, the policy application for accounts in the "Production" OU would be the intersection, as shown in this chart.
The accounts in the "Production" OU have both the "CloudConformity Company" SCP and the "Corporate" SCP applied to them. The intersection of the two policies applies, so these member accounts have access to EC2, RDS, S3, Glacier and DynamoDB. Because Amazon Lambda, Redshift and Kinesis are not within the "Corporate" SCP, the linked accounts in the "Production" OU are not allowed to access them.
In conclusion, you have an extra layer of protection, limiting the accounts within your organization to only those AWS services that are compliant with "Corporate" regulations.
Note 1: If you previously signed up for Consolidated Billing feature using the AWS Billing and Cost Management service, your Consolidated Billing account family has been migrated automatically to a new organization within AWS Organizations. As this new organization, created automatically by AWS, has just the Consolidated Billing features set enabled, this conformity rule demonstrates how to enable All Features set so that your organization can provide Consolidated Billing capabilities plus advanced policy-based management through Service Control Policies (SCPs).Note 2: The migration from Consolidated Billing features set to All Features set within an organization is one-way and switching back to Consolidated Billing features only is not currently supported.With All Features enabled, you can apply Service Control Policies (SCPs) to limit what the member accounts in your organization can do, as well as create, manage and pay for the organization’s accounts through Consolidated Billing.

Audit

To check if your AWS organizations have All Features set enabled, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console using your master account credentials.

02 Navigate to AWS Organizations home page at https://console.aws.amazon.com/organizations/.

03 Click the Settings link from the dashboard top-right menu to access the organization configuration page.

04 Within the Organization feature set section, check the features set currently enabled (highlighted):

If the "ENABLE ONLY CONSOLIDATED BILLING" box is highlighted and the Organization feature set description starts with "Your organization currently supports consolidated billing only.", the selected AWS organization is not using All Features set, instead only the Consolidate Billing functionality is available.

Using AWS CLI

01 Run describe-organization command (OSX/Linux/UNIX) with custom query filters to expose the features set currently enabled for the organization that the current AWS account belongs to. This command can be called from any AWS account (Member or Master) within an organization:

aws organizations describe-organization
	--query "Organization.FeatureSet"

02 The command output should return the name of the features set enabled for the current organization:

"CONSOLIDATED_BILLING"

If the command output returns "CONSOLIDATED_BILLING" instead of "ALL" (as shown in the example above), the selected AWS organization is using the Consolidate Billing features set instead of All Features set, therefore the control over the member accounts available within the organization using SCPs is not possible.

Remediation / Resolution

To enable All Features set for your AWS organization and attach Service Control Policies (SCPs) to your member accounts and Organizational Units (OUs), perform the following:

Using AWS Console

01 Sign in to the AWS Management Console using your master account credentials.

02 Navigate to AWS Organizations home page at https://console.aws.amazon.com/organizations/.

03 Click the Settings link from the dashboard top-right menu to access the configuration page for the existing organization.

04 Within the Organization feature set section, click Begin process to enable all features option and its confirmation button to start the activation process. Once the request is send, the following message is displayed: "The process to enable all features has started. After all member accounts approve the request, you can finalize the process and enable all features."

05 Once the process to enable All Features is started, AWS Organizations service sends a request to every member account within your organization. To view the status of the request, click View all feature request approval status. The All feature request approval status page displays the current request status for each member account in your organization. Accounts that have agreed to the request have a green check mark assigned and show the Acceptance date. Member accounts that have not yet agreed have a red icon assigned and show the date that the request was sent with a status of Pending. If an account does not approve enabling all features, you can select the account in the Account progress page and remove it by selecting Remove. This cancels the request for the selected account and removes that account from your organization, eliminating the blocker to enabling All Features set.

06 After all invited AWS member accounts approve your request (or if there are no invited member accounts yet within the organization), the All feature request approval status page indicates with a green confirmation banner that you can finalize the process by using the Finalize process to enable all features button:

07 Inside Finalize process to enable all features dialog box, click Finalize process to enable all features to confirm the action. The Organization feature set section status should change now to "Your organization has all features enabled. This allows you to apply service control policies (SCPs) to limit what the accounts in the organization can do as well as create, manage and pay for the organization’s accounts through consolidated billing."

08 Now that the All Features set is enabled, you can begin to create the necessary Service Control Policies (SCPs). To define and implement SCPs for your organization root or Organizational Unit, follow the steps outlined within this conformity rule.

Using AWS CLI

01 Run enable-all-features command (OSX/Linux/UNIX) to enable All Features set for your current AWS organization (i.e. the organization that the current AWS master account belongs to). This enables the use of organization SCPs that can restrict the services and actions that can be requested in each member account. Until you enable All Features set, you have access only to Consolidated Billing features, and you cannot use any of the advanced account administration features that AWS Organizations service supports. Executing this command sends a handshake to every invited member account within the organization. The feature set change from Consolidated Billing to All Features can be finalized only after all account owners approve the change by accepting the handshake:

aws organizations enable-all-features

02 The command output should return details about the handshake that is created to support the request to enable All Features set:

{
    "Handshake": {
        "Id": "h-631fa74535474bb397900cf34338ab430",
        "State": "REQUESTED",
        "Resources": [
            {
                "Type": "ORGANIZATION",
                "Value": "o-3fxroynhp5"
            }
        ],
        "Parties": [
            {
                "Type": "ORGANIZATION",
                "Id": "3fxroynhp5"
            }
        ],
        "Action": "ENABLE_ALL_FEATURES",
        "RequestedTimestamp": 1501527548.414,
        "ExpirationTimestamp": 1509303548.414,
        "Arn": "arn:aws:organizations::123456789012:handshake/o-3fxroynhp5/enable_all_features/h-631fa74535474bb397900cf34338ab430"
    }
}

03 Run accept-handshake command (OSX/Linux/UNIX) to send a response to the originator of a handshake performed at the previous step and identified by the ID "h-631fa74535474bb397900cf34338ab430", agreeing to the action proposed by the handshake request:

aws organizations accept-handshake
	--handshake-id h-631fa74535474bb397900cf34338ab430

04 The command output should return the handshake response metadata:

{
    "Handshake": {
        "Id": "h-631fa74535474bb397900cf34338ab430",
        "State": "ACCEPTED",
        "Resources": [
            {
                "Type": "ORGANIZATION",
                "Value": "o-3fxroynhp5"
            }
        ],
        "Parties": [
            {
                "Type": "ORGANIZATION",
                "Id": "3fxroynhp5"
            }
        ],
        "Action": "ENABLE_ALL_FEATURES",
        "RequestedTimestamp": 1501528110.451,
        "ExpirationTimestamp": 1509304110.451,
        "Arn": "arn:aws:organizations::575392585563:handshake/o-3fxroynhp5/enable_all_features/h-631fa74535474bb397900cf34338ab430"
    }
}

05 After all member accounts within your organization approve your request and the All Features set is enabled, you can start to create the necessary Service Control Policies (SCPs). To define and implement SCPs for your organization root or Organizational Unit, follow the steps outlined within this conformity rule.

References

AWS Command Line Interface (CLI) Documentation
organizations
describe-organization
enable-all-features
accept-handshake

Publication date Jul 19, 2017

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Enable All Features

Risk Level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related Organizations rules