> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/aws/aws_in_organization.md). # AWS\_IN\_ORGANIZATION ## Summary | | | | ------------------------------ | ---------------------------------------------------------------------------------------------- | | **FSProtect ACL Alias** | AWS\_IN\_ORGANIZATION | | **Edge Type** | Relationship | | **Affected Object Types** | AWS Accounts, AWS Organizations | | **Exploitation Certainty** | Certain | | **AWS IAM Action / Condition** | Relationship visibility via `organizations:DescribeOrganization`, `organizations:ListAccounts` | ## Description `AWS_IN_ORGANIZATION` represents that an AWS account is a member of an AWS Organization. AWS Organizations is a management service that allows grouping multiple AWS accounts under a single management account. The organization provides centralized governance through: * **Service Control Policies (SCPs)**: Permission guardrails applied at the organization, OU, or account level. SCPs define the maximum permissions any identity in a member account can exercise — even if IAM policies in that account would otherwise allow an action, an SCP can deny it. * **Organization ID (`o-xxxx`)**: Used as a condition value in IAM and resource-based policies via `aws:PrincipalOrgID`, enabling trust relationships scoped to all accounts within the organization without listing each account individually. * **Management account**: The account that created the organization. It has full authority to apply SCPs, invite and remove member accounts, and access delegated admin services. Critically, the management account itself is **not subject to SCPs** — any identity with sufficient IAM permissions in the management account is effectively unrestricted at the organization level. This edge is not directly exploitable on its own, but it is essential for understanding the full scope of an attack: * Identifying that a compromised account is in an organization reveals whether SCP restrictions may silently block IAM-permitted actions. * Knowing the management account's identity reveals the highest-impact target — compromise of the management account can affect all member accounts. * The `aws:PrincipalOrgID` condition is frequently used to grant broad cross-account trust to all org members — an attacker with any foothold inside the organization may inherit that trust. ## Identification ### AWS CLI Retrieve organization details (requires `organizations:DescribeOrganization`): ```bash aws organizations describe-organization \ --query 'Organization.{Id:Id,MasterAccountId:MasterAccountId,MasterAccountEmail:MasterAccountEmail}' ``` List all accounts in the organization: ```bash aws organizations list-accounts \ --query 'Accounts[*].{Id:Id,Name:Name,Status:Status,Email:Email}' \ --output table ``` List the organizational unit (OU) structure: ```bash # Get root ID first ROOT_ID=$(aws organizations list-roots --query 'Roots[0].Id' --output text) # List OUs under root aws organizations list-organizational-units-for-parent \ --parent-id $ROOT_ID \ --query 'OrganizationalUnits[*].{Id:Id,Name:Name}' ``` Find which OU an account belongs to: ```bash aws organizations list-parents \ --child-id 123456789012 \ --query 'Parents[*].{Id:Id,Type:Type}' ``` List SCPs attached to the organization root (affects all accounts): ```bash aws organizations list-policies-for-target \ --target-id $ROOT_ID \ --filter SERVICE_CONTROL_POLICY \ --query 'Policies[*].{Id:Id,Name:Name}' ``` ### AWS Console 1. Open **AWS Organizations** (must be in management account or a delegated admin account). 2. **Accounts** view shows all member accounts, their IDs, emails, and OU placement. 3. **Policies** → **Service control policies** shows what SCPs are active and at which level they are attached. 4. The **Organization structure** tree view shows the OU hierarchy and SCP inheritance at each level. ## Exploitation There is no direct exploit path for this edge. `AWS_IN_ORGANIZATION` represents a structural membership relationship. However, this edge is high-value for attack path analysis: * **SCP enumeration**: If an attacker can call `organizations:ListPoliciesForTarget` or `organizations:DescribePolicy`, they can map exactly which actions are blocked by SCPs, avoiding detection from failed API calls. * **Management account targeting**: The management account is not subject to SCPs. If an attacker can pivot to the management account (via `sts:AssumeRole` with a trust policy scoped to the management account, or via a service with cross-account access), they can bypass all organizational guardrails. * **`aws:PrincipalOrgID` abuse**: If a resource policy uses `aws:PrincipalOrgID` as the only trust condition, any identity within the organization — including a low-privilege user in a sandbox account — can access that resource. ## Mitigation * Restrict access to `organizations:*` actions to a minimal set of administrative roles in the management account. * Do not use `aws:PrincipalOrgID` alone as a trust condition for sensitive resources — combine it with account-level or role-level restrictions. * Apply SCPs to the management account's OU (if the management account is placed in an OU) and use detective controls to compensate for the fact that SCPs do not restrict the management account itself. * Enable AWS Config organization-wide to maintain visibility into resource configuration across all member accounts. * Use delegated administrator accounts for services like Security Hub, GuardDuty, and Config rather than performing management tasks directly from the management account. ## Detection Organization membership changes are infrequent but high-impact. Monitor CloudTrail in the management account for: * `CreateAccount`, `InviteAccountToOrganization` — new accounts joining the org * `RemoveAccountFromOrganization` — accounts being removed * `AttachPolicy`, `DetachPolicy` — SCP changes that could expand or restrict permissions * `CreateOrganizationalUnit`, `DeleteOrganizationalUnit` — structural changes ```bash aws cloudtrail lookup-events \ --lookup-attributes AttributeKey=EventSource,AttributeValue=organizations.amazonaws.com \ --query 'Events[*].{Time:EventTime,Actor:Username,Event:EventName}' \ --output table ``` SCP modification events are especially sensitive — a detached deny-all SCP or a modified guardrail can silently expand permissions across all accounts under an OU. ## References * * * * * * --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/aws/aws_in_organization.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.