Cloud Foundation Assessment Tool
Generated on: Tue, 22 Apr 2025 04:41:25 GMT


Incomplete Requirements:
    INCOMPLETE: Top-level Security OU deployed
    INCOMPLETE: Control Tower deployed
    INCOMPLETE: Log Archive account deployed
    INCOMPLETE: Audit account deployed

====================================

Foundation Status: INCOMPLETE
Estimate of Required Level of Effort (LOE): 12 hours
CFAT Score: 99 out of 158

====================================

Foundation Checks:
┌─────────┬────────────────────────────────────────────────────────────┬───────────────────────────────────────────────────────────────────────────────────────────┬──────────────┬──────────┬────────┬─────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ (index) │ check                                                      │ description                                                                               │ status       │ required │ weight │ loe │ remediationLink                                                                                                                                 │
├─────────┼────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────┼──────────────┼──────────┼────────┼─────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ 0       │ 'AWS Organization created'                                 │ 'AWS Organization is enabled.'                                                            │ 'complete'   │ true     │ 6      │ 1   │ 'https://aws.amazon.com/organizations/getting-started/'                                                                                         │
│ 1       │ 'Management Account created'                               │ 'AWS Management account exists.'                                                          │ 'complete'   │ true     │ 6      │ 1   │ 'https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-creating.html'                                                               │
│ 2       │ 'Management Account IAM users removed'                     │ 'IAM Users should not exist in Management Account.'                                       │ 'incomplete' │ false    │ 4      │ 1   │ 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_manage.html#id_users_deleting'                                                       │
│ 3       │ 'Management Account EC2 instances removed'                 │ 'EC2 Instances should not exist in Management Account.'                                   │ 'incomplete' │ false    │ 4      │ 1   │ 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html'                                                                │
│ 4       │ 'Management Account VPCs removed'                          │ 'Management Account should not have any VPCs.'                                            │ 'incomplete' │ false    │ 4      │ 1   │ 'https://github.com/cloud-foundations-on-aws/cloud-foundations-templates/blob/main/network/network-default-vpc-deletion/README.md'              │
│ 5       │ 'CloudTrail Trail created'                                 │ 'CloudTrail should be enabled within the account.'                                        │ 'complete'   │ true     │ 6      │ 3   │ 'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html'                                                   │
│ 6       │ 'CloudTrail Organization Service enabled'                  │ 'CloudTrail should be enabled on the Organization.'                                       │ 'complete'   │ true     │ 6      │ 1   │ 'https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-cloudtrail.html'                                        │
│ 7       │ 'CloudTrail Org Trail deployed'                            │ 'At least one CloudTrail Organization Trail should be enabled.'                           │ 'complete'   │ true     │ 6      │ 1   │ 'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html'                                                   │
│ 8       │ 'Config Recorder in Management Account configured'         │ 'Config Recorder in the Management Account should be enabled.'                            │ 'complete'   │ true     │ 6      │ 2   │ 'https://aws.amazon.com/blogs/mt/managing-aws-organizations-accounts-using-aws-config-and-aws-cloudformation-stacksets/'                        │
│ 9       │ 'Config Delivery Channel in Management Account configured' │ 'Config Delivery Channel in Management Account should be enabled.'                        │ 'complete'   │ true     │ 6      │ 2   │ 'https://aws.amazon.com/blogs/mt/managing-aws-organizations-accounts-using-aws-config-and-aws-cloudformation-stacksets/'                        │
│ 10      │ 'CloudFormation StackSets activated'                       │ 'CloudFormation StackSets should be activated in the CloudFormation console.'             │ 'incomplete' │ false    │ 5      │ 1   │ 'https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-cloudformation.html#integrate-enable-ta-cloudformation' │
│ 11      │ 'GuardDuty Organization service enabled'                   │ 'GuardDuty Organization services should be enabled.'                                      │ 'incomplete' │ false    │ 4      │ 1   │ 'https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-guardduty.html#integrate-enable-ta-guardduty'           │
│ 12      │ 'RAM Organization service enabled'                         │ 'Resource Access Manager (RAM) trusted access should be enabled in the AWS Organization.' │ 'complete'   │ false    │ 4      │ 1   │ 'https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-ram.html#integrate-enable-ta-ram'                       │
│ 13      │ 'Security Hub Organization service enabled'                │ 'Security Hub trusted access should be enabled in the AWS Organization.'                  │ 'complete'   │ false    │ 4      │ 1   │ 'https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-securityhub.html#integrate-enable-ta-securityhub'       │
│ 14      │ 'IAM Access Analyzer Organization service enabled'         │ 'IAM Access Analyzer trusted access should be enabled in the AWS Organization.'           │ 'incomplete' │ false    │ 4      │ 1   │ 'https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#access-analyzer-enabling'                                │
│ 15      │ 'Config Organization service enabled'                      │ 'AWS Config trusted access should be enabled in the AWS Organization.'                    │ 'complete'   │ false    │ 4      │ 1   │ 'https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-config.html#integrate-enable-ta-config'                 │
│ 16      │ 'CloudFormation Organization service enabled'              │ 'CloudFormation trusted access should be enabled in the AWS Organization.'                │ 'complete'   │ false    │ 5      │ 1   │ 'https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-activate-trusted-access.html'                                    │
│ 17      │ 'Top-level Infrastructure OU deployed'                     │ 'Top-level Infrastructure OU should exist.'                                               │ 'incomplete' │ false    │ 5      │ 2   │ 'https://catalog.workshops.aws/control-tower/en-US/introduction/manage-ou'                                                                      │
│ 18      │ 'Top-level Security OU deployed'                           │ 'Top-level Security OU should exist.'                                                     │ 'incomplete' │ true     │ 6      │ 2   │ 'https://catalog.workshops.aws/control-tower/en-US/introduction/manage-ou'                                                                      │
│ 19      │ 'Top-level Workloads OU deployed'                          │ 'Top-level Workloads OU should exist.'                                                    │ 'incomplete' │ false    │ 5      │ 2   │ 'https://catalog.workshops.aws/control-tower/en-US/introduction/manage-ou'                                                                      │
│ 20      │ 'IAM IdC Organization service enabled'                     │ 'IAM Identity Center trusted access should be enabled in the AWS Organization'            │ 'complete'   │ true     │ 6      │ 1   │ 'https://docs.aws.amazon.com/singlesignon/latest/userguide/get-set-up-for-idc.html'                                                             │
│ 21      │ 'IAM IdC configured'                                       │ 'IAM Identity Center should be configured.'                                               │ 'complete'   │ true     │ 6      │ 3   │ 'https://docs.aws.amazon.com/singlesignon/latest/userguide/tutorials.html'                                                                      │
│ 22      │ 'Service Control Policies enabled'                         │ 'Service Control Policy should be enabled within the AWS Organization.'                   │ 'complete'   │ true     │ 6      │ 1   │ 'https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html'                                           │
│ 23      │ 'Organization Tag Policy enabled'                          │ 'Tag Policy should be enabled within the AWS Organization.'                               │ 'complete'   │ true     │ 6      │ 1   │ 'https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html'                                           │
│ 24      │ 'Organization Backup Policy enabled'                       │ 'Backup Policy should be enabled within the AWS Organization.'                            │ 'complete'   │ false    │ 5      │ 1   │ 'https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html'                                           │
│ 25      │ 'Control Tower deployed'                                   │ 'Control Tower should be deployed.'                                                       │ 'incomplete' │ true     │ 6      │ 6   │ 'https://catalog.workshops.aws/control-tower/en-US/prerequisites/deploying'                                                                     │
│ 26      │ 'Control Tower latest version'                             │ 'Control Tower should be the latest version.'                                             │ 'complete'   │ false    │ 5      │ 2   │ 'https://docs.aws.amazon.com/controltower/latest/userguide/update-controltower.html'                                                            │
│ 27      │ 'Control Tower not drifted'                                │ 'Control Tower should not be drifted.'                                                    │ 'complete'   │ true     │ 6      │ 2   │ 'https://docs.aws.amazon.com/controltower/latest/userguide/resolve-drift.html'                                                                  │
│ 28      │ 'Log Archive account deployed'                             │ 'Log Archive account should exist.'                                                       │ 'incomplete' │ true     │ 6      │ 2   │ 'https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-from-console.html'                                                   │
│ 29      │ 'Audit account deployed'                                   │ 'Audit/Security Tooling account should exist.'                                            │ 'incomplete' │ true     │ 6      │ 2   │ 'https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-from-console.html'                                                   │
└─────────┴────────────────────────────────────────────────────────────┴───────────────────────────────────────────────────────────────────────────────────────────┴──────────────┴──────────┴────────┴─────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘


Start Detailed Report:


*********************************************************
                   MANAGEMENT ACCOUNT
*********************************************************

AWS ACCOUNT TYPE

  Is in AWS Organization: true
  Assessing AWS Management Account: true

IAM USERS CHECK

  IAM User: platform-team@platform-team.internal
    User API Key ID: AKIA<EXAMPLE_KEY_ID_1>

  IAM User: platform-team@platform-team.internal
    User API Key ID: AKIA<EXAMPLE_KEY_ID_2>


EC2 INSTANCE CHECK

  No EC2 instances found.

VPC CHECK

  ap-south-1 - found VPC(s).
  eu-north-1 - found VPC(s).
  eu-west-3 - found VPC(s).
  eu-west-2 - found VPC(s).
  eu-west-1 - found VPC(s).
  ap-northeast-3 - found VPC(s).
  ap-northeast-2 - found VPC(s).
  ap-northeast-1 - found VPC(s).
  ca-central-1 - found VPC(s).
  sa-east-1 - found VPC(s).
  ap-southeast-1 - found VPC(s).
  ap-southeast-2 - found VPC(s).
  eu-central-1 - found VPC(s).
  ap-southeast-2 - found VPC(s).
  us-east-2 - found VPC(s).
  us-west-1 - found VPC(s).
  ap-southeast-6 - found VPC(s).

AWS CONFIG CHECK

  ap-south-1 - Config Recorder found
  ap-south-1 - Config Delivery Channel found
  eu-north-1 - Config Recorder found
  eu-north-1 - Config Delivery Channel found
  eu-west-3 - Config Recorder found
  eu-west-3 - Config Delivery Channel found
  eu-west-2 - Config Recorder found
  eu-west-2 - Config Delivery Channel found
  eu-west-1 - Config Recorder found
  eu-west-1 - Config Delivery Channel found
  ap-northeast-3 - Config Recorder found
  ap-northeast-3 - Config Delivery Channel found
  ap-northeast-2 - Config Recorder found
  ap-northeast-2 - Config Delivery Channel found
  ap-northeast-1 - Config Recorder found
  ap-northeast-1 - Config Delivery Channel found
  ca-central-1 - Config Recorder found
  ca-central-1 - Config Delivery Channel found
  sa-east-1 - Config Recorder found
  sa-east-1 - Config Delivery Channel found
  ap-southeast-1 - Config Recorder found
  ap-southeast-1 - Config Delivery Channel found
  ap-southeast-2 - Config Recorder found
  ap-southeast-2 - Config Delivery Channel found
  eu-central-1 - Config Recorder found
  eu-central-1 - Config Delivery Channel found
  ap-southeast-2 - Config Recorder found
  ap-southeast-2 - Config Delivery Channel found
  us-east-2 - Config Recorder found
  us-east-2 - Config Delivery Channel found
  us-west-1 - Config Recorder found
  us-west-1 - Config Delivery Channel found
  ap-southeast-6 - Config Recorder found
  ap-southeast-6 - Config Delivery Channel found

MANAGEMENT ACCOUNT TASKS:
  Remove IAM user platform-team@platform-team.internal - Management Account - Review and determine if IAM user platform-team@platform-team.internal can be deleted.
  Remove IAM user platform-team@platform-team.internal API key AKIA<EXAMPLE_KEY_ID_1>  - Management Account - Review and determine if IAM user API key AKIA<EXAMPLE_KEY_ID_1> for platform-team@platform-team.internal can be removed.
  Remove IAM user platform-team@platform-team.internal - Management Account - Review and determine if IAM user platform-team@platform-team.internal can be deleted.
  Remove IAM user platform-team@platform-team.internal API key AKIA<EXAMPLE_KEY_ID_2>  - Management Account - Review and determine if IAM user API key AKIA<EXAMPLE_KEY_ID_2> for platform-team@platform-team.internal can be removed.
  Delete VPC in ap-south-1 - Management Account - Delete any unnecessary VPC in ap-south-1 to include the default VPC.
  Delete VPC in eu-north-1 - Management Account - Delete any unnecessary VPC in eu-north-1 to include the default VPC.
  Delete VPC in eu-west-3 - Management Account - Delete any unnecessary VPC in eu-west-3 to include the default VPC.
  Delete VPC in eu-west-2 - Management Account - Delete any unnecessary VPC in eu-west-2 to include the default VPC.
  Delete VPC in eu-west-1 - Management Account - Delete any unnecessary VPC in eu-west-1 to include the default VPC.
  Delete VPC in ap-northeast-3 - Management Account - Delete any unnecessary VPC in ap-northeast-3 to include the default VPC.
  Delete VPC in ap-northeast-2 - Management Account - Delete any unnecessary VPC in ap-northeast-2 to include the default VPC.
  Delete VPC in ap-northeast-1 - Management Account - Delete any unnecessary VPC in ap-northeast-1 to include the default VPC.
  Delete VPC in ca-central-1 - Management Account - Delete any unnecessary VPC in ca-central-1 to include the default VPC.
  Delete VPC in sa-east-1 - Management Account - Delete any unnecessary VPC in sa-east-1 to include the default VPC.
  Delete VPC in ap-southeast-1 - Management Account - Delete any unnecessary VPC in ap-southeast-1 to include the default VPC.
  Delete VPC in ap-southeast-2 - Management Account - Delete any unnecessary VPC in ap-southeast-2 to include the default VPC.
  Delete VPC in eu-central-1 - Management Account - Delete any unnecessary VPC in eu-central-1 to include the default VPC.
  Delete VPC in ap-southeast-2 - Management Account - Delete any unnecessary VPC in ap-southeast-2 to include the default VPC.
  Delete VPC in us-east-2 - Management Account - Delete any unnecessary VPC in us-east-2 to include the default VPC.
  Delete VPC in us-west-1 - Management Account - Delete any unnecessary VPC in us-west-1 to include the default VPC.
  Delete VPC in ap-southeast-6 - Management Account - Delete any unnecessary VPC in ap-southeast-6 to include the default VPC.

*********************************************************
                    GOVERNANCE
*********************************************************

AWS ORGANIZATION POLICY TYPES

  Service Control Policies (SCP) enabled: true
  Tag Policies enabled: true
  Backup Policies enabled: true

AWS ORGANIZATION CLOUDFORMATION

  AWS CloudFormation Organization stack sets status : ENABLED

CLOUDTRAIL CHECK

  CloudTrail found in ap-southeast-2
    Is Organization Trail: true
    Is MultiRegion: true


GOVERNANCE SERVICES ENABLED IN AWS ORGANIZATION:

  AWS CloudTrail
  AWS Config

GOVERNANCE TASKS:

*********************************************************
                FINANCIAL MANAGEMENT
*********************************************************

Legacy CUR
  Is legacy CUR setup: true

CLOUD FINANCIAL MANAGEMENT TASKS:

*********************************************************
                MULTI-ACCOUNT STRATEGY
*********************************************************

AWS ORGANIZATION DETAILS

  AWS Organization Id: o-7qetdtd2wa
  AWS Organization ARN: arn:aws:organizations::$ACCOUNT_ID:organization/$ORG_ID
  AWS Organization Root OU Id: r-jwu0

AWS ORGANIZATION CLOUDFORMATION

  AWS CloudFormation Organization stack sets status : ENABLED

AWS ORGANIZATION TOP-LEVEL ORGANIZATION UNITS

  List of Organization's top-level OUs and AWS accounts:
    Organizational Unit: ou-nz-applications
      Organizational Unit Id: ou-jwu0-ocsm4re1
      AWS Accounts: None

    Organizational Unit: ou-shared-services
      Organizational Unit Id: ou-jwu0-72eyxnqv
      AWS Accounts: None

    Organizational Unit: ou-au-applications
      Organizational Unit Id: ou-jwu0-xrrithh4
      AWS Accounts: None

    Organizational Unit: ou-exceptions
      Organizational Unit Id: ou-jwu0-wxc5o8id
      AWS Accounts:
        Demo-Center

    Organizational Unit: ou-security
      Organizational Unit Id: ou-jwu0-2qhpuvtu
      AWS Accounts: None


AWS ORGANIZATION MEMBER ACCOUNTS

  Account: ams-api-prod
  Account Email: aws-bc-ams-api-prod@datacom.com

  Account: vams-nz-multi-fuel-apps-non-prod
  Account Email: aws-bc-vams-nz-multi-fuel-apps-non-prod@datacom.com

  Account: Demo-Center
  Account Email: aws-bc-demo-center@datacom.com

  Account: vams-nz-multi-fuel-api-non-prod
  Account Email: aws-bc-vams-nz-multi-fuel-api-non-prod@datacom.com

  Account: bluecurrent-batch-jobs-test
  Account Email: aws-bc-batch-jobs-test@datacom.com

  Account: ams-av-dw
  Account Email: aws-bc-ams-av-dw@datacom.com

  Account: bluecurrent-batch-jobs-prod
  Account Email: aws-bc-batch-jobs-prod@datacom.com

  Account: vams-nz-elec-outbound-sec
  Account Email: aws-bc-vams-nz-elec-outbound-sec@datacom.com

  Account: bc-corp-prod
  Account Email: aws-bc-corp-prod@datacom.com

  Account: vams-nz-multi-fuel-api-sandbox
  Account Email: aws-bc-vams-nz-multi-fuel-api-sandbox@datacom.com

  Account: bc-corp-sit
  Account Email: aws-bc-corp-sit@datacom.com

  Account: ams-poc1
  Account Email: aws-bc-ams-poc1@datacom.com

  Account: bc-photo-poc
  Account Email: aws-bc-photo-poc@datacom.com

  Account: vams-au-elec-external-non-prod
  Account Email: aws-bc-vams-au-elec-external-non-prod@datacom.com

  Account: vams-au-multi-fuel-apps-non-prod
  Account Email: aws-bc-vams-au-multi-fuel-apps-non-prod@datacom.com

  Account: vams-au-multi-fuel-apps-sandbox
  Account Email: aws-bc-vams-au-multi-fuel-apps-sandbox@datacom.com

  Account: bc-commvault-backup
  Account Email: aws-bc-commvault-backup@datacom.com

  Account: bc-corp-dev
  Account Email: aws-bc-corp-dev@datacom.com

  Account: vams-au-multi-fuel-api-sandbox
  Account Email: aws-bc-vams-au-multi-fuel-api-sandbox@datacom.com

  Account: bc-aws-connect-prod
  Account Email: aws-bc-aws-connect-prod@datacom.com

  Account: bc-corp-monitoring-prod
  Account Email: aws-bc-corp-monitoring-prod@datacom.com

  Account: bluecurrent-nz-soa-poc
  Account Email: aws-bc-nz-soa-poc@datacom.com

  Account: vams-nz-elec-datalake-prod
  Account Email: aws-bc-vams-nz-elec-datalake-prod@datacom.com

  Account: bc-aws-connect-test
  Account Email: aws-bc-aws-connect-test@datacom.com

  Account: ams-audit
  Account Email: aws-bc-ams-audit@datacom.com

  Account: bc-datalake-dev
  Account Email: aws-bc-datalake-dev@datacom.com

  Account: vams-nz-elec-sidecar
  Account Email: aws-bc-vams-nz-elec-sidecar@datacom.com

  Account: arcs-syd-prod
  Account Email: aws-bc-arcs-syd-prod@datacom.com

  Account: vams-au-metering-elec-mass-security
  Account Email: aws-bc-vams-au-metering-elec-mass-security@datacom.com

  Account: bluecurrent-nz-assetmanagement-jde
  Account Email: aws-bc-nz-assetmanagement-jde@datacom.com

  Account: vams-nz-multi-fuel-apps-sandbox
  Account Email: aws-bc-vams-nz-multi-fuel-apps-sandbox@datacom.com

  Account: vams-nz-elec-datalake-test
  Account Email: aws-bc-vams-nz-elec-datalake-test@datacom.com

  Account: ams-centralised-ops
  Account Email: aws-bc-ams-centralised-ops@datacom.com

  Account: ams-security
  Account Email: aws-bc-ams-security@datacom.com

  Account: bc-corp-monitoring-non-prod
  Account Email: aws-bc-corp-monitoring-non-prod@datacom.com

  Account: vams-au-metering-elec-mass-dev
  Account Email: aws-bc-vams-au-metering-elec-mass-dev@datacom.com

  Account: vams-nz-elec-inbound-sec
  Account Email: aws-bc-vams-nz-elec-inbound-sec@datacom.com

  Account: vams-au-multi-fuel-api-non-prod
  Account Email: aws-bc-vams-au-multi-fuel-api-non-prod@datacom.com

  Account: ams-gateway-1
  Account Email: aws-bc-ams-gateway-1@datacom.com

  Account: ams-admin
  Account Email: aws-bc-management@datacom.com

  Account: vams-nz-elec-sandbox
  Account Email: aws-bc-vams-nz-elec-sandbox@datacom.com

  Account: vams-au-metering-elec-mass-preprod
  Account Email: aws-bc-vams-au-metering-elec-mass-preprod@datacom.com

  Account: vams-nz-elec-internal-non-prod
  Account Email: aws-bc-vams-nz-elec-internal-non-prod@datacom.com

  Account: vams-au-metering-elec-mass-sit
  Account Email: aws-bc-vams-au-metering-elec-mass-sit@datacom.com

  Account: vams-au-multi-fuel-api-prod
  Account Email: aws-bc-vams-au-multi-fuel-api-prod@datacom.com

  Account: ams-api-dev
  Account Email: aws-bc-ams-api-dev@datacom.com

  Account: ams-appstream-prod
  Account Email: aws-bc-ams-appstream-prod@datacom.com

  Account: vams-au-elec-internal-non-prod
  Account Email: aws-bc-vams-au-elec-internal-non-prod@datacom.com

  Account: vams-nz-multi-fuel-api-prod
  Account Email: aws-bc-vams-nz-multi-fuel-api-prod@datacom.com

  Account: bc-datalake-preprod
  Account Email: aws-bc-datalake-preprod@datacom.com

  Account: ams-shared-services
  Account Email: aws-bc-ams-shared-services@datacom.com

  Account: vams-nz-elec-internal-prod
  Account Email: aws-bc-vams-nz-elec-internal-prod@datacom.com

  Account: vams-nz-metering-elec-mass-security
  Account Email: aws-bc-vams-nz-metering-elec-mass-security@datacom.com

  Account: vams-au-multi-fuel-apps-prod
  Account Email: aws-bc-vams-au-multi-fuel-apps-prod@datacom.com

  Account: vams-metering-autotest-prod
  Account Email: aws-bc-vams-metering-autotest-prod@datacom.com

  Account: vamsnz-syd-prod
  Account Email: aws-bc-vamsnz-syd-prod@datacom.com

  Account: bc-corp-uat
  Account Email: aws-bc-corp-uat@datacom.com

  Account: ams-shared-services-non-prod
  Account Email: aws-bc-ams-shared-services-non-prod@datacom.com

  Account: vams-nz-multi-fuel-apps-prod
  Account Email: aws-bc-vams-nz-multi-fuel-apps-prod@datacom.com


AWS ORGANIZATION ENABLED SERVICES

  The following AWS Services are enabled within your AWS Organization:
    account.amazonaws.com
    backup.amazonaws.com
    cloudtrail.amazonaws.com
    config-multiaccountsetup.amazonaws.com
    config.amazonaws.com
    iam.amazonaws.com
    member.org.stacksets.cloudformation.amazonaws.com
    ram.amazonaws.com
    reporting.trustedadvisor.amazonaws.com
    resource-explorer-2.amazonaws.com
    securityhub.amazonaws.com
    ssm.amazonaws.com
    sso.amazonaws.com
    tagpolicies.tag.amazonaws.com

AWS ORGANIZATION INTEGRATED SERVICE REGISTERED DELEGATED ADMINS

  Account: ams-audit
  Delegated Services:
    securityhub.amazonaws.com

  Account: ams-centralised-ops
  Delegated Services:
    config.amazonaws.com
    resource-explorer-2.amazonaws.com


MULTI-ACCOUNT STRATEGY TASKS:
  Review Account Email Addresses - Multi-Account Strategy - Review Account Email Addresses in AWS Organization
  Deploy Transitional OU - Multi-Account Strategy - Deploy Transitional OU in AWS Organization
  Deploy Suspended OU - Multi-Account Strategy - Deploy Suspended OU in AWS Organization
  Deploy Workloads OU - Multi-Account Strategy - Deploy Workloads OU in AWS Organization
  Deploy Security OU - Multi-Account Strategy - Deploy Security OU in AWS Organization
  Deploy Infrastructure OU - Multi-Account Strategy - Deploy Infrastructure OU in AWS Organization

*********************************************************
                  LANDING ZONE
*********************************************************

AWS CONTROL TOWER

  AWS Control Tower is not deployed in the AWS Organization

LANDING ZONE TASKS:
  Deploy AWS Control Tower - Landing Zone - Deploy AWS Control Tower in AWS Organization

*********************************************************
                    IDENTITY
*********************************************************

AWS IAM IDENTITY CENTER

  IdC Region: ap-southeast-2
  IdC ARN: arn:aws:sso:::instance/ssoins-825940b04bdafef9
  IdC Instance Id: d-976752e8d5

IDENTITY TASKS:
  Delegate administration to AWS IAM Identity Center - Identity - Delegate administration to AWS IAM Identity Center

*********************************************************
                    SECURITY
*********************************************************

AWS SECURITY SERVICES ENABLED IN AWS ORGANIZATION:

  AWS Security Hub
  AWS CloudTrail
  AWS Config

SECURITY TASKS:
  Delegate administration to AWS GuardDuty - Security - Delegate administration to AWS GuardDuty
  Delegate administration to AWS IAM Access Analyzer - Security - Delegate administration to AWS IAM Access Analyzer
  Delegate administration of AWS GuardDuty - Security - Delegate administration to AWS GuardDuty
  Delegate administration of AWS IAM Access Analyzer - Security - Delegate administration to AWS IAM Access Analyzer
  Delegate administration of Amazon S3 Storage Lens - Security - Delegate administration to Amazon S3 Storage Lens

*********************************************************
                    NETWORK
*********************************************************

NETWORK TASKS:
  Enable AWS GuardDuty - Network - Enable AWS GuardDuty in AWS Organization
  Enable AWS IPAM - Network - Enable AWS IPAM in AWS Organization
  Delegate administration of AWS IPAM - Network - Delegate administration to AWS IPAM

*********************************************************
                  OBSERVABILITY
*********************************************************

OBSERVABILITY TASKS:
  Delegate administration of AWS Account - Observability - Delegate administration to AWS Account

*********************************************************
               BACKUP AND RECOVERY
*********************************************************

BACKUP AND RECOVERY TASKS:
  Delegate administration of AWS Backup - Backup and Recovery - Delegate administration to AWS Backup


  END REVIEW
