This repository holds infrastructure as code for the Ministry of Justice AWS Organizations root account, and two supporting accounts: organisation-security, and organisation-logging.
All accounts defined here form part of the MOJ's AWS Organization, allowing us to use certain services for organisational audit, governance, security, and cost optimisation.
| Service | Infrastructure as Code | Managed centrally | Method |
|---|---|---|---|
| Alternate contact information | yes | 〰️ partially (SECURITY contact only) |
Trusted access |
| Artifact (security and compliance reports) | no | ✅ yes | no |
| Audit Manager | no | ❌ no | no |
| Backup | no | ❌ no | Delegated to teams |
| CloudFormation Stacksets | no | ❌ no | no |
| CloudTrail (Organisational trail) | no | ❌ no | Delegated to teams |
| CloudWatch Events | no | ❌ no | Delegated to teams |
| Compute Optimizer | yes | ✅ yes | Trusted access |
| Config - Multi-account setup | no | ❌ no | Delegated to teams |
| Config - Multi-region, multi-account aggregation | yes | ✅ yes | Trusted access with a delegated administrator |
| Control Tower | no | ❌ no | no |
| Detective | partially | 〰️ partially | Trusted access with a delegated administrator |
| DevOps Guru | no | ❌ no | no |
| Directory Service | no | ❌ no | no |
| Firewall Manager | yes | 〰️ partially (delegated administrator) | Trusted access with a delegated administrator |
| GuardDuty | yes | ✅ yes | Trusted access with a delegated administrator |
| Health (Organisational view) | yes | ✅ yes | Trusted access |
| IAM Access Analyzer (Organisational zone of trust) | yes | ✅ yes | Trusted access with a delegated administrator |
| IAM | no | ❌ no | no |
| Inspector | partially | ✅ yes | Trusted access with a delegated administrator |
| License Manager | yes | ✅ yes | Trusted access with a delegated administrator |
| Macie | no | ❌ no | no |
| Marketplace (License management) | yes | ❌ no | Trusted access |
| Organizations: AI services opt-out policies | yes | ✅ yes | Inheritance |
| Organizations: Service Control Policies | yes | ✅ yes | Inheritance |
| Organizations: Tagging policies | yes | ✅ yes | Inheritance |
| Resource Access Manager (RAM): Organisational sharing | yes | ✅ yes | Trusted access |
| S3 Storage Lens | yes | ✅ yes | Trusted access |
| Security Hub | yes | 〰️ partially | Trusted access with a delegated administrator |
| Service Catalog | no | ❌ no | no |
| Service Quotas | no | ❌ no | no |
| Single Sign-On (SSO) | yes | ✅ yes | Trusted access |
| Systems Manager | no | ❌ no | no |
| Trusted Advisor (Organisational overview) | yes | ✅ yes | Trusted access |
| VPC IP Address Manager (IPAM) | yes | ✅ yes | Trusted access with a delegated administrator |