# Use a web UI to view resource-based policy dependencies for your AWS Organizations AWS accounts
Publication date: *November 2022*. Check the [CHANGELOG.md](https://github.com/aws-solutions/account-assessment-for-aws-organizations/blob/main/CHANGELOG.md) file in the GitHub repository to see all notable changes and updates to the software. The changelog provides a clear record of improvements and fixes for each version.
This solution allows customers to better understand [AWS Organizations](https://aws.amazon.com/organizations/) dependencies by finding [trusted access enabled](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html) AWS services, delegated admin accounts, and identity-based, resource-based and service control policies.
Businesses are increasing their adoption of AWS Organizations to easily create accounts, allocate resources, create group accounts, and apply governance policies to accounts or groups. However, when businesses need to consolidate AWS Organizations or move AWS accounts between AWS Organizations, system administrators are often challenged to clearly understand the business impact of their account integrations. The process to manually evaluate AWS Organizations dependencies can be time consuming—potentially involving reviews of tens or even hundreds of AWS resources of individual accounts.
The Account Assessment for AWS Organizations solution performs the following functions:
+ Programmatically scans all AWS accounts in an AWS Organization for identity-based, resource-based and service control policies.
+ Presents scan results in a web user interface (web UI) that tracks resources in your AWS Organization.
+ Enables the user to search through the scanned policies and find conditions, dependencies and specific actions in your policies across your AWS organization.
+ Runs the policy scan daily to keep the information about your policies up to date.
This implementation guide provides an overview of the Account Assessment for AWS Organizations solution, its reference architecture and components, considerations for planning the deployment, and configuration steps for deploying the solution to the Amazon Web Services (AWS) Cloud.
Use this navigation table to quickly find answers to these questions:
| If you want to . . . | Read . . . |
| --- | --- |
| Know the cost for running this solution. The estimated baseline cost for running this solution in the US East (Northern Virginia) Region is USD \$145 per month, depending on your specific implementation. | [Cost](cost.md) |
| Understand the security considerations for this solution. | [Security](security.md) |
| Know how to plan for quotas for this solution. | [Quotas](quotas.md) |
| Know which AWS Regions are supported for this solution. | [Supported AWS Regions](plan-your-deployment.md#supported-aws-regions) |
| View or download the AWS CloudFormation template included in this solution to automatically deploy the infrastructure resources (the "stack") for this solution. | [AWS CloudFormation template](aws-cloudformation-templates.md) |
| Access the source code and optionally use the AWS Cloud Development Kit (AWS CDK) to deploy the solution. | [GitHub repository](https://github.com/aws-solutions/account-assessment-for-aws-organizations) |
This guide is intended for solution architects, DevOps engineers, data scientists, and cloud professionals who want to implement Account Assessment for AWS Organizations solution in their environment.
**Important**
We designed this solution to aggregate scan findings for customers. This solution does not check the validity or correctness of your underlying resource-based policies. When changing policies that allow account migration to another AWS Organization, we recommend:
Verifying that your policies work as intended before making changes.
Using [AWS Identity and Access Management](https://aws.amazon.com/iam/) (IAM) [Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html) to verify that your policies achieve your required permissions.
Reviewing and updating the [Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) policy element to meet your security requirements. Do not delete the `Condition` without reviewing the underlying impact.
Engaging with AWS Solutions Architects, Technical Account Managers, and AWS Professional Services to review your AWS Organizations-based dependencies identified by the solution before initiating account migration.
**Note**
Dependencies outside the scope of this solution can impact the account migration between AWS Organizations (for example, [quotas for AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html), resources shared by [AWS Resource Access Manager](https://aws.amazon.com/ram/) [AWS RAM], and service-managed CloudFormation [StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html)).
# Features and benefits
The Account Assessment for AWS Organizations solution provides the following features.
## Access the solution using a web UI
This solution provides a web UI to help you view scan results. For more details, see [Use the solution](use-the-solution.md).
## Identify enabled services with AWS Organizations
In your AWS Organization, you can enable more than 30 compatible AWS services to perform operations across all of the AWS accounts. This solution finds enabled services and delegated admin accounts per service (if activated).
## Explore your policies to find actions and conditions
This feature allows you to search through all the policies across your AWS Organization to find specific conditions and actions. In case an action is deprecated you need to remove or update a given action or condition across all accounts or a specific set of accounts, you can quickly find and review the policies in the solutions UI, and update them across your environment to meet your needs.
The policies included in the scans are identity-based policies, resource-based policies, and organization-based policies (such as service control policies). The daily scan will store representations of all the policies in your environment in DynamoDB on a daily basis, so you can search through them, and find the attributes you are looking for in the solution’s web UI.
## Assess IAM policy conditions
The `Condition` policy element lets you use keys to specify conditions for when a policy is in effect. You can use specific keys to compare the identifier or path of the requesting [principal’s](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) Organization in AWS Organizations with the identifier specified in the policy. This helps you identify existing conditions and dependencies. If desired, you can use [global condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). This solution scans conditions in the following types of policies and presents them for your review in the solution’s web UI.
### Assume role (trust relationship) conditions
With IAM roles, you can establish trust relationships between your trusting account (the account that owns the resource) and other AWS trusted accounts (the accounts that contain the users that need to access the resource). In this trust relationship, you can use condition keys to grant permissions to any principal in your AWS Organization.
### Identity-based policy conditions
[Identity-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html) are attached to a user, group, or role. Use these policies to specify permissions for a given identity.
### Resource-based policy conditions
[Resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html) are attached to a resource. Use these policies to specify who has access to the resource and what actions they can perform on it. For example, you can attach resource-based policies to [Amazon Simple Storage Service](https://aws.amazon.com/s3/) (Amazon S3) buckets, [Amazon Simple Queue Service](https://aws.amazon.com/sqs/) (Amazon SQS) queues, [Amazon Virtual Private Cloud](https://aws.amazon.com/vpc/) (Amazon VPC) endpoints, and [AWS Key Management Service](https://aws.amazon.com/kms/) (AWS KMS) encryption keys.
The following table provides a list of services supported by this solution.
| AWS service | Policy type |
| --- | --- |
| [Amazon API Gateway](https://aws.amazon.com/api-gateway) | Resource-based |
| [AWS Backup](https://aws.amazon.com/backup) | Resource-based |
| [AWS CloudFormation](https://aws.amazon.com/cloudformation) | Resource-based |
| [AWS CodeArtifact](https://aws.amazon.com/codeartifact) | Resource-based |
| [AWS CodeBuild](https://aws.amazon.com/codebuild) | Resource-based |
| [AWS Config](https://aws.amazon.com/config) | Resource-based |
| [Amazon Elastic Container Registry](https://aws.amazon.com/ecr) (Amazon ECR) | Resource-based |
| [Amazon Elastic File System](https://aws.amazon.com/efs) (Amazon EFS) | Resource-based |
| [AWS Elemental MediaStore](https://aws.amazon.com/mediastore) | Resource-based |
| [Amazon EventBridge](https://aws.amazon.com/eventbridge) | Resource-based |
| [AWS Glue](https://aws.amazon.com/glue) | Resource-based |
| [AWS Identity and Access Management](https://aws.amazon.com/iam) (IAM) | Identity-based |
| [AWS IoT Core](https://aws.amazon.com/iot-core) | Resource-based |
| [AWS Key Management Service](https://aws.amazon.com/kms) (AWS KMS) | Resource-based |
| [AWS Lambda](https://aws.amazon.com/lambda) | Resource-based |
| [Amazon OpenSearch Service](https://aws.amazon.com/opensearch-service) | Resource-based |
| [AWS Secrets Manager](https://aws.amazon.com/secrets-manager) | Resource-based |
| [AWS Serverless Application Repository](https://aws.amazon.com/serverless/serverlessrepo/) | Resource-based |
| [Amazon Simple Email Service](https://aws.amazon.com/ses) (Amazon SES) | Resource-based |
| [Amazon Simple Notification Service](https://aws.amazon.com/sns) (Amazon SNS) | Resource-based |
| [Amazon Simple Queue Service](https://aws.amazon.com/sqs) (Amazon SQS) | Resource-based |
| [Amazon Simple Storage Service](https://aws.amazon.com/s3) (Amazon S3) | Resource-based |
| [Amazon S3 Glacier](https://aws.amazon.com/s3/storage-classes/glacier/) | Resource-based |
| [AWS Systems Manager](https://aws.amazon.com/systems-manager) ([AWS Systems Manager Incident Manager](https://docs.aws.amazon.com/incident-manager/latest/userguide/what-is-incident-manager.html)) | Resource-based |
| [Amazon Virtual Private Cloud](https://aws.amazon.com/vpc) (Amazon VPC) ([VPC Endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/concepts.html#concepts-service-consumers)) | Resource-based |
| AWS Resource Access Manager (Amazon RAM) | Resource-based |
| Amazon EventBridge Schemas | Resource-based |
| AWS Systems Manager Incident Manager Contacts | Resource-based |
| Amazon Lex | Resource-based |
| ACM-PCA (AWS Certificate Manager Private Certificate Authority) | Resource-based |
# Use cases
The following are example use cases for using this solution. You can apply this solution in innovative ways that are not limited to this list.
**Mergers or acquisitions**
If you are undergoing a merger or acquisition, you may need to move AWS accounts between multiple AWS Organizations and Organizational Units (OUs) while maintaining existing production workloads and avoiding downtime.
**Security audits**
If you are undergoing a security audit, you might want further insight into your AWS accounts, policies, trust relationships, and activated AWS services.
**Centralized Policy Explorer**
To evaluate policy compliance and identify security threats, search for actions, resources, effects, or principles. Use this feature to search, filter, review, and identify the policies in your AWS Organization. You can also choose to download the list for sharing purposes.
**Management account change**
If you plan to create a new account as your management account and change the existing management account into a member account (for example, if you have production workloads in your management account), you might want visibility into the management account’s existing policies.
# Concepts and definitions
This section describes key concepts and defines terminology specific to this solution:
**Identity-based policy**
Identity-based policies are attached to a user, group, or role. Use these policies to specify permissions for a given identity.
**Resource-based policy**
Resource-based policies are attached to a resource. Use these policies to specify who has access to the resource and what actions they can perform on it.
**Service Control Policy** Service control policies (SCPs) are a type of organization policy that are used to manage permissions in an organization, SCPs offer central control over the maximum available permissions for all accounts in the organization.
**Trusted account**
AWS account that contains the users that need to access the resource.
**Trusting account**
AWS account that owns the resource.
**Principal**
An entity in AWS that can perform actions and access resources. A principal can be an AWS account owner, a user, or a role.
**Note**
For a general reference of AWS terms, see the [AWS glossary](https://docs.aws.amazon.com/general/latest/gr/glos-chap.html) in the *AWS General Reference*.