Skip to main content
All CollectionsIntegrations
Connecting AWS Organizational Units
Connecting AWS Organizational Units
Jane Baik avatar
Written by Jane Baik
Updated over a week ago

With AWS Organizational Units connection, you can automatically synchronize all of your AWS accounts to Drata instead of manually connecting individual accounts. Learn more about AWS Organizations terminology and concepts.

BEFORE DIVING IN

  • You must create the DrataAutopilotRole in every account you want monitored.

  • Maximum number of accounts: This connection supports the first 750 accounts detected in your organization. If you have more than 750, you can try to connect production accounts that are necessary for compliance purposes first. If you would like to connect more than 750 accounts, reach out to your customer success manager.

  • Multiple workspaces: AWS organizational units sync across your workspaces. This connection is not specific to each workspace.

  • AWS Identity Center: If you use AWS Identity Center, you need to configure users through IAM to show those accounts on the Managed Accounts page.

  • Optional Terraform Setup

Connect AWS Organizational Units

Follow these instructions to connect AWS Organizational Units to Drata.

  1. Select "Connections'' on the side navigation menu.

  2. Select the 'Available connections' tab and then search for 'AWS Org Units' to connect.

  3. The following steps are also listed in the instruction drawer. In this drawer, you can also exclude or include accounts.

  4. Follow the instructions in this help article to create and apply the required IAM role in the root account and each subaccount you want to monitor.

    1. Alternatively, if you are using the Terraform setup:

      1. In your terminal, run the following terraform init to download and update the module.

        • Replace main in ref=main with the latest version from the releases page.

        • Drata's external ID 5f1f8fba-9139-4dfc-870f-c98519a0edb1 in role_sts_externalid = "5f1f8fba-9139-4dfc-870f-c98519a0edb1" is entered in the following codeblock.

          module "drata_autopilot_role" {
          source = "git::https://github.com/drata/terraform-aws-drata-autopilot-role.git?ref=main"
          role_sts_externalid = "5f1f8fba-9139-4dfc-870f-c98519a0edb1"
          }

          # this will output the Role ARN
          output "drata_autopilot_role" {
          value = module.drata_autopilot_role.role_arn
          }
      2. IMPORTANT: Run terraform apply and review the plan output before entering yes.

      3. Copy the Role ARN which is displayed when the terraform is applied.

      4. Paste the Role ARN into the Role ARN field in the AWS Connections drawer in Drata.

  5. Go to the AWS Organizations page and copy the Root ID (for example, r-abc1).

  6. Paste the Root ID into the Root ID field in the AWS Connections drawer in Drata.

  7. Exclude or include accounts. To learn how to exclude or include accounts go to the next section.

Exclude or include accounts

You can also exclude or include accounts by entering account IDs in the drawer or using the “DrataExclude” and “DrataInclude” tags. The account IDs entered in the drawer takes precedence over tags.

  • To use exclusion tags, use the “DrataExclude” tag. Learn more at Exclusion tags within AWS.

  • To use inclusion tags, use the “DrataInclude’” tag. To configure this tag, go to your AWS Organization in your AWS Console and select the org unit that you'd like to include. Select the "Tags" tab and then "Manage tags".

  • Select "Add Tag" and enter "DrataInclude" into the key field. The value field is optional.

Monitoring tests covered

  • Test 4: SSL/TLS on Admin Page of Infrastructure Console

  • Test 30: Availability Zones Used

  • Test 68: Customer Data is Encrypted at Rest

  • Test 69: Customer Data in Cloud Storage is Encrypted at Rest

  • Test 88: MFA on Infrastructure Console

  • Test 95: Infrastructure Accounts Properly Removed

  • Test 98: Employees have Unique Infrastructure Accounts

  • Test 102: Public SSH Denied

  • Test 104: Cloud Data Storage Exposure

  • Test 105: AWS Guard Duty

  • Test 107: Daily Database Backups

  • Test 108: Storage Data Versioned or Retained

  • Test 112: Database CPU Monitored

  • Test 113: Database Free Storage Space Monitored

  • Test 114: Database Read I/O Monitored

  • Test 115: Messaging Queue Message Age Monitored

  • Test 117: NoSQL Cluster Storage Utilization Monitored

  • Test 118: Infrastructure Instance CPU Monitored

  • Test 119: Firewall Default Disallows Traffic

  • Test 122: Web Application Firewall in Place

  • Test 124: Root Infrastructure Account Unused

  • Test 130: Load Balancer Used

Additional Information

Here are additional related articles.

Connect individual AWS account

To learn how to connect an individual AWS account instead of the organization (multiple accounts), go to AWS Connection Details and Connecting AWS to Drata.

Exclude test

After you save and test the connection, you can also exclude tests. To learn more, go to Exclusion.

Did this answer your question?