With AWS Organizational Units connection, you can automatically synchronize all of your AWS accounts to Drata instead of manually connecting individual accounts. Learn more about AWS Organizations terminology and concepts.

BEFORE DIVING IN

You must create the DrataAutopilotRole in every account you want monitored.
Maximum number of accounts: This connection supports the first 350 accounts detected in your organization. If you have more than this, you can try to connect production accounts that are necessary for compliance purposes first. If you would like to connect more than 350 accounts, reach out to your customer success manager.
Multiple workspaces: AWS organizational units sync across your workspaces. This connection is not specific to each workspace.
AWS Identity Center: If you use AWS Identity Center, you need to configure users through IAM to show those accounts on the Managed Accounts page.
SCP region restrictions: If you are using a Service Control Policy (SCP) with region restrictions, specify the allowed regions when setting up this connection.
Optional Terraform Setup
- Depending on the number of subaccounts in your organization, you may wish to use Terraform to create the required IAM role in bulk.
  - Install Terraform CLI (1.2.0+) and AWS CLI.
    If you would like to use your IAM credentials to authenticate the Terraform AWS provider, go to the Build infrastructure HashiCorp developer page for further instructions.
  - Download the Drata AWS Org Units script from https://github.com/drata/terraform-aws-drata-autopilot-role.

Connect AWS Organizational Units

Follow these instructions to connect AWS Organizational Units to Drata.

Select "Connections'' on the side navigation menu.
Select the 'Available connections' tab and then search for 'AWS Org Units' to connect.
The following steps are also listed in the instruction drawer. In this drawer, you can also exclude or include accounts.
Follow the instructions in this help article to create and apply the required IAM role in the root account and each subaccount you want to monitor.
1. Alternatively, if you are using the Terraform setup:
  1. In your terminal, run the following terraform init to download and update the module.
    Replace main in ref=main with the latest version from the releases page.
    Drata's external ID 5f1f8fba-9139-4dfc-870f-c98519a0edb1 in role_sts_externalid = "5f1f8fba-9139-4dfc-870f-c98519a0edb1" is entered in the following codeblock.
    module "drata_autopilot_role" {
    source = "git::https://github.com/drata/terraform-aws-drata-autopilot-role.git?ref=main"
    role_sts_externalid = "5f1f8fba-9139-4dfc-870f-c98519a0edb1"
    }
    
    # this will output the Role ARN
    output "drata_autopilot_role" {
    value = module.drata_autopilot_role.role_arn
    }
  2. IMPORTANT: Run terraform apply and review the plan output before entering yes.
  3. Copy the Role ARN which is displayed when the terraform is applied.
  4. Paste the Role ARN into the Role ARN field in the AWS Connections drawer in Drata.
Go to the AWS Organizations page and copy the Root ID (for example, r-abc1).
Paste the Root ID into the Root ID field in the AWS Connections drawer in Drata.
Exclude or include accounts. To learn how to exclude or include accounts go to the next section.

Exclude or include accounts

You can also exclude or include accounts by entering account IDs in the drawer or using the “DrataExclude” and “DrataInclude” tags. The account IDs entered in the drawer takes precedence over tags.

To use exclusion tags, use the “DrataExclude” tag. Learn more at Exclusion tags within AWS.
To use inclusion tags, use the “DrataInclude’” tag. To configure this tag, go to your AWS Organization in your AWS Console and select the org unit that you'd like to include. Select the "Tags" tab and then "Manage tags".
Select "Add Tag" and enter "DrataInclude" into the key field. The value field is optional.

Configure allowed region

If the Organizational Unit you are connecting to has a Service Control Policy (SCP) with region restrictions attached:

Within the AWS Org Units connection drawer, select Specific regions under Allowed Regions
Then, choose the appropriate regions.

If it does not have restrictions, you can select All active regions.

Find the allowed regions

You can find the allowed regions through the AWS console:

Navigate to the AWS Console.
In the services menu, search for and select Organizations.
Under the Organizational units section, select the Organization Unit (OU) you are connecting to Drata.
Then, select the Policies tab and search for Service Control Policies (SCPs) section to view all of your policies attached to the OU.
Select each SCP to view its policy document and view the Condition element that specifies aws:RequestedRegion.
In the array, you will find a list of all the allowed regions. Select those regions in the AWS Org Units connection drawer.

Alternatively, you can use the AWS CLI to find these details:

List the policies attached to the OU:

aws organizations list-policies-for-target --target-id <ou-id> --filter SERVICE_CONTROL_POLICY

By using the PolicyId from the previous command, get the details of each policy.
- ```
aws organizations describe-policy --policy-id <policy-id>
```
In the output, inspect the Condition elements for aws:RequestedRegion to find a list of the allowed regions.

Monitoring tests covered

Test 4: SSL/TLS on Admin Page of Infrastructure Console
Test 30: Availability Zones Used
Test 68: Customer Data is Encrypted at Rest
Test 69: Customer Data in Cloud Storage is Encrypted at Rest
Test 88: MFA on Infrastructure Console
Test 95: Infrastructure Accounts Properly Removed
Test 98: Employees have Unique Infrastructure Accounts
Test 102: Public SSH Denied
Test 104: Cloud Data Storage Exposure
Test 105: AWS Guard Duty
Test 107: Daily Database Backups
Test 108: Storage Data Versioned or Retained
Test 112: Database CPU Monitored
Test 113: Database Free Storage Space Monitored
Test 114: Database Read I/O Monitored
Test 115: Messaging Queue Message Age Monitored
Test 117: NoSQL Cluster Storage Utilization Monitored
Test 118: Infrastructure Instance CPU Monitored
Test 119: Firewall Default Disallows Traffic
Test 122: Web Application Firewall in Place
Test 124: Root Infrastructure Account Unused
Test 130: Load Balancer Used
Test 132: Daily backup job status monitored*
Test 133: Failed Backup Alerts Being Sent*
Test 134: Failed Backups Addressed in Timely Manner*
Test 205: CloudTrail log file integrity validation enabled
Test 206: SQL freeable memory monitored
Test 214: MFA for AWS Root Account
Test 215: AWS IAM Password Minimum Length
Test 216: AWS IAM Password Reuse
Test 217: AWS IAM Group-Based Access Control
Test 218: AWS EBS Volume Encryption
Test 219: AWS RDS Auto Minor Version Upgrade
Test 220: AWS RDS Public Access Restricted
Test 221: AWS S3 Bucket Access Logging
Test 222: AWS CloudTrail Logs Encrypted
Test 223: AWS CMK Rotation*
Test 224: AWS VPC Flow Logging
Test 225: Hardware MFA for AWS Root Account
Test 226: AWS S3 Object-Level Logging for Read & Write Events
Test 227: AWS Network ACLs Public Remote Server Administration Access Restricted
Test 228: AWS Security Groups Restrict Public RDP Access
Test 229: AWS IAM Unused Credentials
Test 230: AWS IAM Principle of Least Privilege
Test 231: AWS EFS Encrypted at Rest
Test 232: AWS IAM Access Key Rotation
Test 233: AWS VPC Default Security Groups Restrict All Traffic
Test 234: AWS S3 HTTP Request Denied
Test 290: AWS Database Writes I/O Monitored
Test 291: AWS Security Groups HTTP Access Restricted
Test 292: AWS EC2 Instances IMDSv1 Disabled
Test 293: AWS Classic Load Balancer Latency Monitored
Test 294: AWS Application Load Balancer Target Response Time Monitored
Test 295: AWS Classic Load Balancer Server Errors Monitored
Test 296: AWS Application Load Balancer Server Errors Monitored
Test 297: AWS Classic Load Balancer Unhealthy Hosts Monitored
Test 298: AWS Application Load Balancer Unhealthy Hosts Monitored
Test 299: AWS Application Load Balancer Redirects HTTP to HTTPS
Test 300: AWS Lambda Error Rate Monitored
Test 301: AWS DynamoDB Point-in-Time Recovery Enabled*

Additional Information

Here are additional related articles.

Connect individual AWS account

To learn how to connect an individual AWS account instead of the organization (multiple accounts), go to AWS Connection Details and Connecting AWS to Drata.

Exclude test

After you save and test the connection, you can also exclude tests. To learn more, go to Exclusion.