Skip to main content
All CollectionsConnectionsProvider
AWS Organizational Units Connection
AWS Organizational Units Connection
Updated over a week ago

With AWS Organizational Units (OU) connection, you can automatically synchronize all your AWS accounts with Drata, eliminating the need to manually connect each account. Learn more about AWS Organizations terminology and concepts.

BEFORE DIVING IN

  • Maximum number of accounts: This connection supports the first 350 accounts detected in your organization. If you have more than 350 accounts, you can try to connect production accounts that are necessary for compliance purposes first. If you would like to connect more than 350 accounts, reach out to your customer success manager.

  • Multiple workspaces: AWS organizational units sync across your workspaces. This connection is not specific to each workspace.

  • SCP region restrictions: If you are using a Service Control Policy (SCP) with region restrictions, specify the allowed regions when setting up this connection.

Prerequisites

DrataAutopilotRole IAM Role: Drata requires an IAM role with specific permissions in every account you want monitored.

Connect AWS Organizational Units

  1. In Drata, go to the Connections page

  2. Select the Available Connections tab and search for AWS and select connect.

  3. On the AWS page, enable Using AWS Organizational Unit and then select Create Connections.

The following sections showcase how to connect AWS Organizational Unit to Drata in further detail.

Step 1: Configure settings

  1. Select the workspaces you would like the connection to be made on and the specific configurations you need such as connecting to AWS Identity Center.

  2. Select Next.

Step 2: Connect integration

You can either start with Terraform or Cloudformation. For those unfamiliar with Terraform, it is recommended to utilize Cloudformation instead.

Terraform

Depending on the number of sub-accounts in your organization, you may wish to use Terraform to create the required IAM role in bulk.

  1. Download the Drata AWS Org Units script from https://github.com/drata/terraform-aws-drata-autopilot-role.

Cloudformation

  1. Log into your AWS Org management account.

  2. Navigate to CloudFormation.

  3. In the left navigation, navigate to StackSets and select Create StackSet.

  4. You can leave the Permissions and Prerequisite - Prepare template sections as the default settings

  5. For the Specify template section, select Upload a template file and upload the template attached above (https://github.com/drata/aws-cloudformation-drata-setup/blob/main/drata_cloudformation_stackset_template.json).

  6. Select Next.

  7. Specify the StackSet details:

    • Enter the name and description for your StackSet details.

    • DrataAWSAccountARN: This should be auto-populated. You do not need to change this parameter unless you intend to.

    • RoleSTSExternalID: Navigate back to Drata’s instructions and copy the value of Drata External ID. Then, navigate back to AWS to paste the copied value.

  8. Select Next.

  9. You can leave the default selections for the Configure StackSet options page.

    • You may have to acknowledge that AWS CloudFormation might create IAM resources with custom names.

    • Select Next.

  10. On the Set deployment options page:

    • Under the Specify region section, add and select the regions StackSet should be deployed to. For example, you can select us-west-2 as a region.

    • Under the Deployment options section,

      • Maximum concurrent accounts: Recommended to increase the value if the organization has many sub accounts, as it will reduce deployment time.

      • Failure Tolerance: It’s recommended to increase this value. Entering 1 means that if 1 account fails deployment the entire job fails on the remaining accounts. A failure can occur for various reasons, such as an account already having the role manually applied.

  11. Select Next.

  12. On the Review page, review the details of your StackSet and click Submit at the bottom.

The operation will take a number of minutes, you can monitor progress in the StackInstances tab. When everything is complete, the Status column on the Operations tab will show as SUCCEEDED.

❗Note: The DrataAutopilotRole will not be created in the single account where the CloudFormation StackSet was deployed. Due to AWS automation rules, this role is not automatically deployed to the management account.

To manually create and apply the role to your Management account, follow the steps in the next section.

Create and link the AWS role ARN to Drata

In the following steps, we will tell you how to manually create the DrataAutoPilot role on your Management Account. CloudFormation does not auto-deploy roles to the management account.

  1. Ensure you are logged into the AWS account you deployed the CloudFormation script from.

  2. Navigate to the IAM service, once there, select the Roles in the sidebar.

  3. Select the Create role button, then select the AWS account box.

  4. Click on the Another AWS account radio button.

  5. Copy and paste the Drata account ID: 269135526815 into the Account ID field.

Select trusted entity

  1. Select the Require external ID checkbox.

  2. Enter your Drata external ID into the External ID field (this is unique to your tenant, found in the AWS connection wizard in Drata).

  3. Leave the Require MFA checkbox un-checked.

Add connection permission

  1. Select the Next: Permissions button.

  2. In the Attach permissions policies section, search for the Read Only Access permission: SecurityAudit.

  3. Scroll to the bottom of this list and select the SecurityAudit predefined role.

Note: Some additional permissions that are not covered by the SecurityAudit policy may be required in order to utilize additional tests that monitor AWS. Those tests and permissions are outlined in the Additional Permission Considerations.

Create role

  1. Copy and paste the fields below into the form, then click the Next button.
    Note: Ensure that the value for Role Name is copied exactly as listed below.

    • Role Name: DrataAutopilotRole

    • Role Description: Cross-account read-only access for Drata Autopilot

Link Amazon Resource Name

Search for and select the role you just created. The role should be named DrataAutopilotRole.

  1. Copy the role ARN from the role's summary page.

  2. Paste this into Drata’s Role ARN field for the AWS Org Unit connection.

  3. Select the Next button to establish the link between AWS and Drata.

Retrieve and enter the AWS Root ID

To complete the connection setup, follow these steps to locate and enter your AWS Root ID in Drata.

  1. Go to the AWS Organizations page and copy the Root ID (for example, r-abc1).

  2. Paste the Root ID into the Drata’s Root ID field for AWS connection.

Exclude or include accounts

You can also exclude or include accounts by entering account IDs in the drawer or using the “DrataExclude” and “DrataInclude” tags. The account IDs entered in the drawer take precedence over tags.

  • To use exclusion tags, use the “DrataExclude” tag. Learn more at Exclusion tags within AWS.

  • To use inclusion tags, use the “DrataInclude’” tag. To configure this tag, go to your AWS Organization in your AWS Console and select the org unit that you'd like to include. Select the "Tags" tab and then "Manage tags".

  • Select "Add Tag" and enter "DrataInclude" into the key field. The value field is optional.

Configure allowed region

If the Organizational Unit you are connecting to has a Service Control Policy (SCP) with region restrictions attached:

  1. Within the AWS Org Units connection drawer, select Specific regions under Allowed Regions

  2. Then, choose the appropriate regions.

If it does not have restrictions, you can select All active regions.

Find the allowed regions

You can find the allowed regions through the AWS console:

  1. Navigate to the AWS Console.

  2. In the services menu, search for and select Organizations.

  3. Under the Organizational units section, select the Organization Unit (OU) you are connecting to Drata.

  4. Then, select the Policies tab and search for Service Control Policies (SCPs) section to view all of your policies attached to the OU.

  5. Select each SCP to view its policy document and view the Condition element that specifies aws:RequestedRegion.

  6. In the array, you will find a list of all the allowed regions. Select those regions in the AWS Org Units connection drawer.

Alternatively, you can use the AWS CLI to find these details:

  1. List the policies attached to the OU:

    • aws organizations list-policies-for-target --target-id <ou-id> --filter SERVICE_CONTROL_POLICY

  2. By using the PolicyId from the previous command, get the details of each policy.

    • aws organizations describe-policy --policy-id <policy-id>

  3. In the output, inspect the Condition elements for aws:RequestedRegion to find a list of the allowed regions.

Monitoring tests covered

  • Test 4: SSL/TLS on Admin Page of Infrastructure Console

  • Test 30: Availability Zones Used

  • Test 68: Customer Data is Encrypted at Rest

  • Test 69: Customer Data in Cloud Storage is Encrypted at Rest

  • Test 88: MFA on Infrastructure Console

  • Test 95: Infrastructure Accounts Properly Removed

  • Test 98: Employees have Unique Infrastructure Accounts

  • Test 102: Public SSH Denied

  • Test 104: Cloud Data Storage Exposure

  • Test 105: AWS Guard Duty

  • Test 107: Daily Database Backups

  • Test 108: Storage Data Versioned or Retained

  • Test 112: Database CPU Monitored

  • Test 113: Database Free Storage Space Monitored

  • Test 114: Database Read I/O Monitored

  • Test 115: Messaging Queue Message Age Monitored

  • Test 117: NoSQL Cluster Storage Utilization Monitored

  • Test 118: Infrastructure Instance CPU Monitored

  • Test 119: Firewall Default Disallows Traffic

  • Test 122: Web Application Firewall in Place

  • Test 124: Root Infrastructure Account Unused

  • Test 130: Load Balancer Used

  • Test 132: Daily backup job status monitored*

  • Test 133: Failed Backup Alerts Being Sent*

  • Test 134: Failed Backups Addressed in Timely Manner*

  • Test 205: CloudTrail log file integrity validation enabled

  • Test 206: SQL freeable memory monitored

  • Test 214: MFA for AWS Root Account

  • Test 215: AWS IAM Password Minimum Length

  • Test 216: AWS IAM Password Reuse

  • Test 217: AWS IAM Group-Based Access Control

  • Test 218: AWS EBS Volume Encryption

  • Test 219: AWS RDS Auto Minor Version Upgrade

  • Test 220: AWS RDS Public Access Restricted

  • Test 221: AWS S3 Bucket Access Logging

  • Test 222: AWS CloudTrail Logs Encrypted

  • Test 223: AWS CMK Rotation*

  • Test 224: AWS VPC Flow Logging

  • Test 225: Hardware MFA for AWS Root Account

  • Test 226: AWS S3 Object-Level Logging for Read & Write Events

  • Test 227: AWS Network ACLs Public Remote Server Administration Access Restricted

  • Test 228: AWS Security Groups Restrict Public RDP Access

  • Test 229: AWS IAM Unused Credentials

  • Test 230: AWS IAM Principle of Least Privilege

  • Test 231: AWS EFS Encrypted at Rest

  • Test 232: AWS IAM Access Key Rotation

  • Test 233: AWS VPC Default Security Groups Restrict All Traffic

  • Test 234: AWS S3 HTTP Request Denied

  • Test 290: AWS Database Writes I/O Monitored

  • Test 291: AWS Security Groups HTTP Access Restricted

  • Test 292: AWS EC2 Instances IMDSv1 Disabled

  • Test 293: AWS Classic Load Balancer Latency Monitored

  • Test 294: AWS Application Load Balancer Target Response Time Monitored

  • Test 295: AWS Classic Load Balancer Server Errors Monitored

  • Test 296: AWS Application Load Balancer Server Errors Monitored

  • Test 297: AWS Classic Load Balancer Unhealthy Hosts Monitored

  • Test 298: AWS Application Load Balancer Unhealthy Hosts Monitored

  • Test 299: AWS Application Load Balancer Redirects HTTP to HTTPS

  • Test 300: AWS Lambda Error Rate Monitored

  • Test 301: AWS DynamoDB Point-in-Time Recovery Enabled*

Additional Information

Here are additional related articles.

Connect individual AWS account

To learn how to connect an individual AWS account instead of the organization (multiple accounts), go to AWS Connection Details and Connecting AWS to Drata.

Exclude test

After you save and test the connection, you can also exclude tests. To learn more, go to Exclusion.

Did this answer your question?