AWS Root Account
April 21, 2026 Β· View on GitHub
This repository defines and manages the MOJ AWS Management Account, which serves as the root of the MOJ AWS Organization. It provides shared services, centralized governance, and foundational security for all AWS accounts under the Ministry of Justice.
This repository manages the following AWS accounts:
- The Management Account (
MOJ Masteralso referred to asAWS Root Account) - Supporting organizational accounts (
organisation-security) - Lifecycle management of accounts that are not provided by the Modernisation Platform
This repository also manages the following services:
- SSO Access to AWS Accounts and Applications through GitHub and Microsoft Justice Identities
- Opt-in Extended Detection and Response (XDR) AWS Account Integration with MOJ Security Operations Centre (SOC)
- Automatically setting the Security Contact of all Member Accounts to
security@justice.gov.uk - Configuring AWS Organization such as creating Organizational Units, AWS Accounts, Service Control Policies. For details on all AWS Organization integrated services, see AWS Organizations Integrated Services Overview
π§ Repository Structure Overview
.
βββ .github/ # Issue templates, workflows (CI/CD), CODEOWNERS, etc.
βββ management-account/ # IaC for Managment Account. Contains configuration Organisations, Identity Centre, Cost and Billing etc.
βββ modules/ # Reusable Terraform modules for creating common AWS resources
βββ organisation-security/ # IaC for Organisation Security Account. Contains configuration for GuardDuty, SecurityHub etc.
βββ scripts/ # Utility scripts for managing AWS Organization
π₯ Ownership & Support
| Responsibility | Team / Role | Contact |
|---|---|---|
Primary ownership of aws-root-account | Hosting Tech Leads | #aws-root-account |
| Strategic MOJ AWS landing zone | Modernisation Platform | #ask-modernisation-platform |
| AWS cost and billing | Cloud Optimisation and Accountability Team | #cloud-optimisation-and-accountability-team |
| Security consultation and reviews | P&A Cyber Security | #ask-panda-cyber |
| Ownership of overall AWS Service | Hosting | #hosting |
βοΈ AWS Organizations Integrated Services Overview
The Ministry of Justice AWS Organization integrates with a number of AWS services that work with Organizations, enabling centralized governance, security, and automation across all member accounts.
This section lists all AWS services known to support integration with AWS Organizations, showing which are enabled for the MOJ Organization.
Each service is grouped by category and includes:
- Status: Whether itβs currently enabled in the Organization.
- Description: Summary of the serviceβs org-level integration.
- Managed By: Which account or repository owns the service configuration.
- Rationale: Why it is (or isnβt) enabled.
π‘οΈ Security & Compliance Services
The following AWS Services establish organization-wide visibility, detection, and enforcement of security posture.
| Status | Service | Description | Managed By | Rationale |
|---|---|---|---|---|
| β | Detective (detective.amazonaws.com) | Security investigation service that builds relationship graphs from GuardDuty findings. | organisation-security | Provides org-wide threat investigation capability. |
| β | Firewall Manager (fms.amazonaws.com) | Central policy management for WAF, Shield, and security groups. | MOJ Master | Enforces baseline network security policies, such as auto attachting basic firewalls to applications. |
| β | GuardDuty (guardduty.amazonaws.com) | Threat detection and monitoring across accounts. | organisation-security | Centralised GuardDuty delegated admin for all accounts. |
| β | IAM Access Analyzer (access-analyzer.amazonaws.com) | Enables org-wide IAM Access Analyzer for external access findings. | organisation-security | Provides org-level visibility into cross-account access. |
| β | Inspector (inspector2.amazonaws.com) | Automated vulnerability scanning across instances, containers, and Lambda. | organisation-security | Ensures continuous compliance scanning across org. |
| β | Macie (macie.amazonaws.com) | Data classification and discovery for sensitive data in S3. | organisation-security | Enforces data governance and DLP across S3. |
| β | Security Hub (securityhub.amazonaws.com) | Centralized security findings aggregator. | organisation-security | Centrlised SecurityHub Aggregates for easier integration with SOC. |
βοΈ Governance & Access Control
The following AWS Services define organizational structure, manage policies and permissions, and orchestrate account lifecycle.
| Status | Service | Description | Managed By | Rationale |
|---|---|---|---|---|
| β | Account Management (account.amazonaws.com) | Enables API-level management of AWS accounts within the organization. | MOJ Master | Required for account provisioning and lifecycle management. |
| β | CloudFormation Stacksets | Provision infrastructure in all member accounts. | organisation-security | Organisation-wide governance and integreations, such as with XSIAM |
| β | IAM (iam.amazonaws.com) | Organization-wide identity service integration (for Access Analyzer, SCPs). | MOJ Master | Required for managing root users, setting SCPs and access analyzer. |
| β | Resource Access Manager (ram.amazonaws.com) | Share specified AWS resources that you own with other AWS accounts. | MOJ Master | Enables easier cross account resource access within org. |
| β | IAM Identity Center (sso.amazonaws.com) | Enable visibility and control of your AWS resources. | MOJ Master | Allows central SSO service for AWS Access via GitHub and Microsoft. |
| β | Tag Policies (tagpolicies.tag.amazonaws.com) | Standardise tags across resources in your organization's accounts. | MOJ Master | Define standardised tagging rules for resources. |
βοΈ Operations & Resilience
The following AWS Services enable cross-account operational monitoring, automation, and recovery.
| Status | Service | Description | Managed By | Rationale |
|---|---|---|---|---|
| β | AWS Backup (backup.amazonaws.com) | Centralized backup plans and compliance management across accounts. | MOJ Master | Currently, only monitors backups across the organisation. |
| β | AWS Config (config.amazonaws.com) | Tracks configuration changes and compliance across accounts. | organisation-security | Enables centralized config aggregators and conformance packs. |
| β | AWS Health (health.amazonaws.com) | Aggregates AWS Health events across the organization. | MOJ Master | Allows central visibility of incidents and maintenance events. |
| β | License Manager (license-manager.amazonaws.com) | Tracks and enforces software license usage across accounts. | organisation-security | Used to manage enterprise licensing across org. |
| β | IP Address Manager (IPAM) (ipam.amazonaws.com) | Enables central management of IP address allocations across accounts. | organisation-security | Supports CIDR allocation and VPC IP tracking. |
π° Cost Management & Optimization
The following AWS Services provide consolidated visibility and optimization of spend, usage, and cost allocation.
| Status | Service | Description | Managed By | Rationale |
|---|---|---|---|---|
| β | Billing and Cost Management (billing-cost-management.amazonaws.com) | Enables consolidated billing and budgets across the organization. | MOJ Master | Required for consolidated billing and cost allocation. |
| β | Compute Optimizer (compute-optimizer.amazonaws.com) | Provides org-wide optimization recommendations for compute resources. | MOJ Master | Helps identify cost-saving opportunities. |
| β | Cost Optimization Hub (cost-optimization-hub.bcm.amazonaws.com) | Aggregates cost optimization insights across accounts. | MOJ Master | Centralizes cost optimization insights. |
| β | Marketplace (license-management.marketplace.amazonaws.com) | curated digital catalog that you can use to find, buy, deploy, and manage third-party software. | MOJ Master | Centrally manage purchases through AWS Marketplace. |
| β | S3 Storage Lens (storage-lens.s3.amazonaws.com) | S3 storage usage and activity metrics with actionable recommendations to optimize storage. | MOJ Master | Centralizes cost optimization insights. |
| β | Trusted Advisor (reporting.trustedadvisor.amazonaws.com) | makes recommendations when opportunities exist to save money, to improve system availability and performance, or to help close security gaps. | MOJ Master | Centralizes cost optimization and security insights. |
π€ Services Not Yet Enabled
These services support AWS Organizations integration but are currently disabled in the MOJ Organization.
| Status | Service | Description | Rationale |
|---|---|---|---|
| β | Application Migration Service (mgn.amazonaws.com) | Manage large-scale migrations across multiple accounts | - |
| β | AWS Artifact (mgn.amazonaws.com) | accept agreements on behalf of all accounts within your organization. | - |
| β | AWS Audit Manager (auditmanager.amazonaws.com) | Centralized evidence collection for audits. | - |
| β | CloudTrail (cloudtrail.amazonaws.com) | Org-wide API event logging. | - |
| β | CloudWatch (observabilityadmin.amazonaws.com) | Org-wide view of telementry. | - |
| β | Control Tower (controltower.amazonaws.com) | Set up and govern a secure, compliant, multi-account AWS environment | - |
| β | DevOps Guru (devops-guru.amazonaws.com) | Detects an operational issue or risk | - |
| β | Directory Service | Set up and run directories in the AWS Cloud | - |
| β | EventBridge | Share all EventBridge events across all accounts. | - |
| β | Elastic Compute Cloud (ec2.amazonaws.com) | Generate reports of existing EC2 configurations. | - |
| β | EC2 Capacity Manager (ec2.capacitymanager.amazonaws.com) | Org-wide view of of EC2 capacity usage. | - |
| β | Elastic Kubernetes Service (dashboard.eks.amazonaws.com) | Central dashboard of EKS usage. | - |
| β | Marketplace - Private Marketplace (private-marketplace.marketplace.amazonaws.com) | Private marketplaces associated with our organisation. | - |
| β | Marketplace - Procurement Insights Dashboard (procurement-insights.marketplace.amazonaws.com) | Private marketplaces associated with our organisation. | - |
| β | Network Manager (networkmanager.amazonaws.com) | Cross Account Network Management. | - |
| β | Amazon Q (q.amazonaws.com) | Paid subscription to Amaazon Q. | - |
| β | Resource Explorer (resource-explorer-2.amazonaws.com) | Multi-account search of reasources. | - |
| β | Security Incident Response (security-ir.amazonaws.com) | Security service that provides 24/7 live, human-assisted security incident support. | - |
| β | Security Lake (securitylake.amazonaws.com) | Create a data lake that collects logs and events across your accounts. | - |
| β | Service Catalog (servicecatalog.amazonaws.com) | Create and manage catalogs of IT services that are approved for use. | - |
| β | Service Quotas (servicequotas.amazonaws.com) | View and manage your service quotas. | - |
| β | Systems Manager (ssm.amazonaws.com) | Enable Visibility and Control of AWS Resources. | - |
| β | User Notifications (notifications.amazon.com) | Configure and view notifications centrally across accounts in your organization. | - |
| β | Well Architected Tool (wellarchitected.amazonaws.com) | Helps document the state of workloads and compares them to the latest AWS architectural best practices. | - |
| β | VPC Reachability Analyzer (reachabilityanalyzer.networkinsights.amazonaws.com) | Trace paths across accounts in your organizations. | - |
π§ Runbooks
Practical step-by-step guidance for manual or operational tasks.
π Run GitHub SCIM Sync Job
Syncing GitHub Teams into AWS Identity Centre is one of the core services of the AWS Root Account.
This process enables users to seamlessly login to AWS Accounts using their GitHub Identities.
Although this processes is automated to run on a schedule, you may sometimes need to run it manually.
It is perfectly safe to run manually via the console and will not cause any issues doing so.
Steps:
- SSO into the
MOJ Masteraccount as anModernisationPlatformEngineer. - Navigate to the "Lambda" service.
- Change your Region is set to eu-west-2 (London).
- Navigate to the "Functions" on the sidebar.
- Select
aws-sso-scim-github. - Select the
Testtab. - Select
Create new event. - Enter any name for the
Event namesuch asRunJobManually. - Enter a blank JSON object for the test data i.e.
{}. - Press the
Testbutton, this will trigger the SCIM job. - After a couple of minutes, the job should complete and display the logs of the run. You can use the logs to confirm which users have been added to which team if the request to run the job manually came from an individual.
Validate: You can check AWS Identity Centre to validate if the expected users have gained the expected access to AWS Accounts and Applications.
π Assign Access to an AWS Account
Grant a user or group access to a specific AWS account and permission set.
Steps:
- Identify the correct Azure AD group or GitHub Team corresponding to the AWS account and role.
- If no existing group exists for the access you need, you will have to raise a PR to assign a group with permissions you require.
- Add the user into the Azure AD group or GitHub Team.
- Run a SCIM sync manually (or wait for the automatic run).
- Confirm access in AWS IAM Identity Center β βAssignmentsβ.
Validate: User can log in to AWS SSO and see the assigned account.
π£ Making Changes that Impact the Entire Organisation
If you are making a change could potentially impact Member Accounts, you should post a maintenance update on the MOJ Hosting External Status Page.
What changes do I need to create a maintenance post for?
Some changes within the Management AWS Accounts will impact the entire AWS Organisation. These changes typically include:
- Updating EntraID / GitHub SCIM jobs that populate AWS Identity Centre. Changes here could break or degrade the service of SSO potentially preventing teams gaining access to AWS Accounts via SSO.
- Enabling/Disabling AWS Services in AWS Organizations. Enabling/Disabling a service typically deploys infrastructure such as IAM Roles and Policies to all Member Accounts to establish Trusted Access.
- Changing the configuration of Organization Enabled AWS Services. Changes to these services could potentially create or destroy infrastructure in all Member Accounts.
- Adding/Updating a custom process that manages infrastructure in Member Accounts. This is things like custom Cloud Formation Templates we deploy across the Organisation, or ensuring all Member Accounts have
security@justice.gov.ukas their Security Contact.
Why create a maintenance post?
Changes are normal and not cause for concern in almost all cases. Although, because these changes can generate activity in Member Accounts, they can trigger alarms for our members which they need to investigate.
Raising a maintenance post for these changes can help minimise the time members need to investigate alarms that our changes may have triggered.
π₯ Closing an AWS Account
The current process for closing an AWS Account.
Steps:
- Raise a Pull Request against this repository to remove the AWS Account resource (
aws_organizations_account) for the account needing to be removed and any references to that resource in the code. - Post your pull request in the #aws-root-account Slack channel to be reviewed by the Hosting Leads
- Once the pull request is approved and merged into the main branch, the apply job will run and fail due to the pipeline role not having permissions to delete AWS Accounts. This will generate an alert in #aws-root-account.
- Sign into the MOJ Master Account with an role that has enough permissions to delete AWS Accounts.
- You may first need move the Account to the Root Organisational Unit (OU), if a SCP is being applied to the AWS Account that prevents account closures via a OU
- Close the AWS Account
- Move the closed AWS Account into the Closed OU
- The account will remain in a closed state for 90 days until AWS fully delete the account