Why am I not using the AWS organizational unit for my environment name | by Teri Radichel | Cloud Security | November 2023


ACM.363 Complications when querying organizational data from AWS child accounts

Part of my series on Automation of cybersecurity measures. AWS Organizations. Deploy a static website. THE Coded.

Free content on Cybersecurity Jobs | Register at Broadcast list

In the last article, I created a directory structure for CloudFormation templates based on the CloudFormation documentation.

In this article I’m thinking of moving my templates to deploy SSM settings, but first I’ll explain how I would prefer to implement my environment and my organization name, if I could.

Remember that I want to create environments and each account in the environment will have three SSM settings:


I started thinking about it a little more and actually, environment is the name of OU. For my sample accounts I worked with, the environment name is sandbox and I place the accounts in a sandbox OU. The name of the OU is (org)-(ouname). So for now I’m thinking I could just allow roles to query their own OU to get these values. To get the parents for an identifier, we can use the list-parents command.

But when you run this command you get something like this with no name, which is not ideal. It would be easier if it returned a name instead.

To get the name, we need to run a second command:

Leave a comment