/aws-root-account

Terraform for the Ministry of Justice AWS root account

Primary LanguageHCLMIT LicenseMIT

AWS Root Account

repo standards badge

This repository holds infrastructure as code for the Ministry of Justice AWS Organizations root account, and two supporting accounts: organisation-security, and organisation-logging.

AWS Organizations

All accounts defined here form part of the MOJ's AWS Organization, allowing us to use certain services for organisational audit, governance, security, and cost optimisation.

Services

Service Infrastructure as Code Managed centrally Method
Alternate contact information yes 〰️ partially (SECURITY contact only) Trusted access
Artifact (security and compliance reports) no ✅ yes no
Audit Manager no ❌ no no
Backup no ❌ no Delegated to teams
CloudFormation Stacksets no ❌ no no
CloudTrail (Organisational trail) no ❌ no Delegated to teams
CloudWatch Events no ❌ no Delegated to teams
Compute Optimizer yes ✅ yes Trusted access
Config - Multi-account setup no ❌ no Delegated to teams
Config - Multi-region, multi-account aggregation yes ✅ yes Trusted access with a delegated administrator
Control Tower no ❌ no no
Detective partially 〰️ partially Trusted access with a delegated administrator
DevOps Guru no ❌ no no
Directory Service no ❌ no no
Firewall Manager yes 〰️ partially (delegated administrator) Trusted access with a delegated administrator
GuardDuty yes ✅ yes Trusted access with a delegated administrator
Health (Organisational view) yes ✅ yes Trusted access
IAM Access Analyzer (Organisational zone of trust) yes ✅ yes Trusted access with a delegated administrator
IAM no ❌ no no
Inspector partially ✅ yes Trusted access with a delegated administrator
License Manager yes ✅ yes Trusted access with a delegated administrator
Macie no ❌ no no
Marketplace (License management) yes ❌ no Trusted access
Organizations: AI services opt-out policies yes ✅ yes Inheritance
Organizations: Service Control Policies yes ✅ yes Inheritance
Organizations: Tagging policies yes ✅ yes Inheritance
Resource Access Manager (RAM): Organisational sharing yes ✅ yes Trusted access
S3 Storage Lens yes ✅ yes Trusted access
Security Hub yes 〰️ partially Trusted access with a delegated administrator
Service Catalog no ❌ no no
Service Quotas no ❌ no no
Single Sign-On (SSO) yes ✅ yes Trusted access
Systems Manager no ❌ no no
Trusted Advisor (Organisational overview) yes ✅ yes Trusted access
VPC IP Address Manager (IPAM) yes ✅ yes Trusted access with a delegated administrator