Community
Questions Library
Docs
Blog
Events
Swag
Github
Slack
JupiterOne
Discussions
Release Notes
AWS Organizations - AskJ1 Community
<main> <article class="userContent"> <p>The JupiterOne Application supports the ability to ingest multiple AWS Accounts that are managed by AWS Organizations by configuring a single Integration on the AWS master account of the Organization.</p> <p><img src="https://us.v-cdn.net/6035534/uploads/9ZE9WVTPNG2D/aws-organizations-configure-checkbox.png" alt="aws-organizations-configure-checkbox" class="embedImage-img importedEmbed-img"></img></p> <h2 data-id="organizations-setup">Organizations Setup</h2> <p>Before selecting the checkbox, you will want to make sure that each AWS account in the organization is configured with the same JupiterOne IAM role, policies, and external trust ID. If you are using Terraform in your AWS environment, there are setup instructions within the JupiterOne app under the AWS Setup Instructions.</p> <p><img src="https://us.v-cdn.net/6035534/uploads/V60RD8YAS63K/aws-organizations-terraform-setup.png" alt="aws-organizations-terraform-setup" class="embedImage-img importedEmbed-img"></img></p> <p>For more detailed instructions, see <a rel="nofollow" href="https://jupiterone.vanillacommunities.com/kb/articles/984-aws-faqs">How can I add/configure all the sub-accounts in my AWS Organization?</a> <br> in the AWS Specific Questions article. After all sub-accounts are configured correctly in AWS, if you check the option <em>Configure Organization Accounts</em>, data for each sub-account will be pulled into your JupiterOne account.</p> <p>To exclude an AWS account, you can assign the tag <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">j1-integration:SKIP</code> to that specific account within AWS Organizations. See the question <a rel="nofollow" href="https://jupiterone.vanillacommunities.com/kb/articles/984-aws-faqs">How can I skip certain sub-accounts when auto-configuring my AWS Organization?</a></p> <h3 data-id="account-email-address-property">Account Email Address Property</h3> <p>The CIS Benchmark expects that a contact email is associated with an AWS account in the case of a breach or security compromise. The <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">email</code> property for an <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">aws_account</code> is only ingested when an AWS integration configuration for the master account has the box checked to enable auto configuration of AWS organization accounts.</p> <p>If an incorrect/unexpected email address is tied to an AWS account, refer to the following AWS article: <br><a rel="nofollow" href="https://aws.amazon.com/premiumsupport/knowledge-center/change-email-address/">How do I change the email address that's associated with my AWS account?</a></p> <h2 data-id="properties">Properties</h2> <p>The following properties are created on the master account and sub-accounts:</p> <table><thead><tr><th>Properties</th> </tr></thead><tbody><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">accountId</code>: The unique identifier (ID) of the account</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">active</code>: True or false value if the status is equal to active</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">arn</code>: The Amazon Resource Name (ARN) of the account</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">displayName</code>: The friendly name of the account (multiple values)</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">email</code>: The email address associated with the AWS account</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">id</code>: The unique identifier (ID) of the account</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">joinedMethod</code>: The method by which the account joined the organization</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">joinedOn</code>: The date the account became a part of the organization</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">name</code>: The friendly name of the account</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">orgAccountArn</code>: The ARN of this Account within the Organization</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">orgAccountName</code>: The name of this Account as seen in the Organizations UI</td> </tr><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">status</code>: The status of the account in the organization</td> </tr></tbody></table><h2 data-id="relationships">Relationships</h2> <p>The following relationships are mapped:</p> <table><thead><tr><th>Relationships</th> </tr></thead><tbody><tr><td><code class="code codeInline code codeInline" spellcheck="false" tabindex="0">aws_account</code> (master) <strong>HAS</strong> <code class="code codeInline code codeInline" spellcheck="false" tabindex="0">aws_account</code> (sub-account)</td> </tr></tbody></table> </article> </main>