ACM.363 Complications when querying organizational data from AWS child accounts
Part of my series on Automation of cybersecurity measures. AWS Organizations. Deploy a static website. THE Coded.
Free content on Cybersecurity Jobs | Register at Broadcast list
In the last article, I created a directory structure for CloudFormation templates based on the CloudFormation documentation.
In this article I’m thinking of moving my templates to deploy SSM settings, but first I’ll explain how I would prefer to implement my environment and my organization name, if I could.
Remember that I want to create environments and each account in the environment will have three SSM settings:
org
env
adminaccount
I started thinking about it a little more and actually, environment is the name of OU. For my sample accounts I worked with, the environment name is sandbox and I place the accounts in a sandbox OU. The name of the OU is (org)-(ouname). So for now I’m thinking I could just allow roles to query their own OU to get these values. To get the parents for an identifier, we can use the list-parents command.
But when you run this command you get something like this with no name, which is not ideal. It would be easier if it returned a name instead.
To get the name, we need to run a second command:
