Ensure that there is an Amazon CloudWatch alarm implemented within your AWS Master account that is triggered each time an administrator-specific action occurs within your AWS Organizations.
Using Amazon CloudWatch alarms to detect administrator-specific changes such as create organization, delete organization, create new accounts within an organization or remove a member account from an organization is considered best practice and can help you prevent any unwanted, accidental or intentional modifications that may lead to unauthorized access or other security breaches. This monitoring technique helps you to ensure that any unexpected changes performed within your AWS Organizations can be investigated and any unwanted changes can be rolled back.
Note 1: Enabling CloudWatch alarms to detect changes performed within your AWS organization is required only for the Master account available in the organization.
Note 2: For this rule, Cloud Conformity assumes that the CloudTrail service is already enabled to stream event log data to CloudWatch within your AWS account, otherwise see this rule to enable AWS Cloudtrail – CloudWatch integration.
Note 3: Currently, AWS Organizations is hosted in only the US East (N. Virginia) Region even though it is available globally. To perform the steps, you must configure the AWS Management Console/CLI to use that region.
To determine if there are any CloudWatch alarms set up to monitor your Amazon Organizations changes, perform the following actions:
Step 1: Create a Simple Notification Service (SNS) topic and the necessary subscription to send notifications whenever the appropriate AWS CloudWatch alarm is triggered:
Step 2: Create the necessary metric filter and the CloudWatch alarm that will fire and send email notifications whenever an administrator-specific change is made within your Amazon Organizations: