TD SYNNEX Support Policy for AWS Organizations (Commercial) Version 4.2025
About AWS Organizations
AWS Organizations provides account management and consolidated billing capabilities. When establishing an organization, customers have the option to enable consolidated billing or activate all features.
By enabling all features, customers gain access to advanced account management functionalities, including Service Control Policies (SCPs), which provide centralized control over the maximum available permissions for all accounts within an organization.
TD SYNNEX Support for AWS Organizations
New AWS Organizations
For end customers requiring advanced AWS Organizations features-such as SCPs and Control Tower functionality-TD SYNNEX provisions a dedicated AWS management (payer) account. Customers can create new AWS accounts under the payer or link existing accounts as needed.
Existing AWS Organizations
For customers with an existing AWS Organization, the customer retains root access for all child (member) accounts. Through the Consent to Assign (CTA) process, a formal agreement is executed between the reseller and TD SYNNEX, assigning responsibility for all associated fees and charges to TD SYNNEX.
Upon signing the CTA, TD SYNNEX collaborates with the current account owner (reseller or end customer) to:
• Establish a new root email address.
• Assign TD SYNNEX's payment method to ensure billing consolidation.
• Verify that all accounts requested for transfer have no outstanding balances. Unresolved balances must be settled before completing the transfer process.
Root Credential Management
TD SYNNEX is required to retain root access to AWS management accounts (payer accounts) per its agreements with AWS. AWS designates the root email of the payer as the entity responsible for financial transactions with AWS, while customers retain operational ownership of their organizations.
Root credentials are used only when necessary for AWS tasks that explicitly require root user access. Such actions are performed only at the customer's request when shared access is established.
Security Measures:
• Root passwords are stored in a secure vault with end-to-end encryption.
• Clipboard auto-clear mechanisms prevent password leakage from user systems.
• TD SYNNEX network access is secured with multi-factor authentication (MFA).
• Root access is strictly limited to designated administrators and their direct supervisors, ensuring controlled access in case of emergencies.
• Passwords adhere to strict security standards, including historical policies, minimum and maximum age, length, and complexity requirements.
End User Access to the Management Account
To facilitate customer control over their AWS Organizations under the reseller model, TD SYNNEX creates an IAM user within the payer account and provides credentials to designated customer contacts. This IAM user role grants administrative rights for AWS Organizations but restricts access to billing and IAM features.
Guidelines:
• Customers must not create workload-type AWS services within the payer account. The payer account exists primarily to facilitate consolidated billing.
• Root ownership of all child (linked) accounts remains with the end customer. Billing is consolidated under the payer, while all instance-level interactions are managed at the individual account level.
To maintain financial oversight of an AWS Organization, customers must not:
• Deploy production workloads in the management account.
• Purchase Reserved Instances or Savings Plans from the management account.
Justification:
• Support Cost Management: Ensuring support costs remain predictable, as the management account typically has Business-Level Support enabled.
• Liability Mitigation: Preventing TD SYNNEX from assuming liability for workloads running in the management account.
Standard Administrative Practices
TD SYNNEX operates (3) IAM User Groups for account administration:
TD SYNNEX Operations Team Responsibilities:
• Viewing billing details and downloading invoices.
• Linking AWS accounts (upon request).
• Creating new AWS accounts (upon request).
• Opening support tickets with AWS.
• Activating cost allocation tags.
• Setting up additional end-customer 'OrgUsers' as needed.
IAM User Groups & Roles:
• TD-BillingOps-Role: Manages billing and cost-related tasks.
• TD-SupportOps-Role: Handles technical support-related tasks.
• TD Cloud-OPS Admin: Cloud Engineer role for tasks requiring elevated credentials.
Root-Level Activities: Root access is used only for specific customer-requested actions or tasks requiring root authorization, such as:
• Billing disputes.
• Enabling IAM access to the Billing and Cost Management Console.
• Accepting specialized AWS Marketplace license agreements.
For a complete list of tasks requiring root access, visit:
Security Measures for Root Access:
• Root logins are protected by token-based MFA.
• Physical security controls restrict token access.
• Root logins access will trigger automated alerts sent to designated stakeholders.
Programmatic Access
Depending on the AWS region, TD SYNNEX may have the following programmatic cross account roles:
• StreamOne ION: Cloud platform read-only role for cost and usage data (hourly updates).
• (US ONLY) CIS-Billing: Cross-account read-only role for monthly cost and usage reporting.
Data Visibility
TD SYNNEX collects cost and usage data for all AWS services. This includes billing details at the hourly or monthly level, broken down by product, resource, or user-defined tags.
TD SYNNEX does not collect or access:
• Sensitive personal data, such as healthcare, demographic, or PCI information.
For further details, refer to the .
Transferring Ownership of AWS Management Accounts
TD SYNNEX follows AWS best practices for transferring ownership of AWS management (payer) accounts.
Consent to Assign (CTA) Process:
• The Assignee is the recipient of contractual rights and obligations.
• The Assignor is the original contract holder transferring these rights.
Transferring a management account does not affect:
• Linked accounts.
• AWS Organization settings or policies.
• Savings Plan and Reserved Instance purchases.
Ownership Transfer Process:
1. Verification of outstanding balances (must be resolved before transfer).
2. Execution of CTA specifying an effective date (financial obligations are assumed for a full calendar month).
3. TD SYNNEX assists in gathering the required data and submitting the transfer request to AWS.
Upon transfer completion, TD SYNNEX will:
• Remove IAM users previously managing the account.
• Remove MFA from the root email address.
• Update the root email to an address designated by the new owner (must not be registered with Amazon.com or AWS).
The new account owner must
• Update account contact information.
• Enter an alternate payment method (e.g., credit card, invoicing terms).
• Verify and remove any unauthorized user accounts.
Processing Time: Allow at least 5 to 10 business days for approval and completion.
The current default IAM entities
NAMER
TD-CloudOps-Role
Policy Doc:
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "*",
"Resource": "*"
TD-BillingOps-Role
Policy Doc:
"Version": "2012-10-17",
"Statement": [
"Sid": "CEAccess",
"Effect": "Allow", "Action": [
"ce:GetCostAndUsage", "ce:GetReservationPurchaseRecommendation", "ce:GetPreferences", "ce:ListSavingsPlansPurchaseRecommendationGeneration", "ce:ListTagsForResource",
"ce:GetReservationUtilization", "ce:GetCostCategories", "ce:GetSavingsPlansPurchaseRecommendation", "ce:GetSavi ngsPlansUtilization Details", "ce:GetDimensionValues", "ce:GetAnomalySubscriptions",
"ce:DescribeReport", "ce:GetReservationCoverage",
"ce:GetAnomalyMonitors", "ce:GetUsageForecast", "ce:DescribeNotificationSubscription", "ce:DescribeCostCategoryDefiniti on", "ce:GetRightsizingRecommendation", "ce:GetSavingsPlansUtilization", "ce:GetAnomalies", "ce:ListCostCategoryDefinitions", "ce:GetCostForecast", "ce:GetCostAndUsageWithResources", "ce:ListCostAllocationTags",
"ce:GetSavingsPlanPurchaseRecommendationDetails", "ce:GetSavingsPlansCoverage", "ce:GetConsoleActionSetEnforced",
"ce:GetTags"
],
"Resource":"*"
TD-SupportOps-Role
Policy Doc:
"Version": "2012-10-17",
"Statement": [
"Sid": "CEAccess",
"Effect": "Allow", "Action": [
"ce:GetCostAndUsage", "ce:GetReservationPurchaseRecommendation", "ce:GetPreferences",
"ce:ListSavingsPlansPurchaseRecommendationGeneration", "ce:ListTagsForResource",
"ce:GetReservationUtilization", "ce:GetCostCategories", "ce:GetSavingsPlansPurchaseRecommendation", "ce:GetSavingsPlansUtilizationDetails", "ce:GetDimensionValues", "ce:GetAnomalySubscriptions",
"ce:DescribeReport", "ce:GetReservationCoverage", "ce:GetAnomalyMonitors", "ce:GetUsageForecast",
"ce:DescribeNotificationSubscripti on", "ce:DescribeCostCateg oryDefinition", "ce:GetRightsizingRecommendation", "ce:GetSavingsPlansUtilization", "ce:GetAnomalies", "ce:ListCostCategoryDefinitions", "ce:GetCostForecast", "ce:GetCostAndUsageWithResources", "ce:ListCostAllocationTags",
"ce:GetSavingsPlanPurchaseRecommendationDetails", "ce:GetSavingsPlansCoverage", "ce:GetConsoleActionSetEnforced",
"ce:GetTags"
],
"Resource": "*"
TDS-support
Policy Doc:
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow", "Action": [
"acm-pca:ListCertificateAuthorities", "acm-pea:describeCertificateAutho rity",
"acm-pca:describeCertificateAuthorityAuditReport", "acm-pca:getCertificateAuthorityCertificate",
"acm-pca:getCertificateAuthorityCsr", "acm-pca:listTags", "acm:describeCertificate", "acm:getCertificate ", "acm:listCertificates", "acm:listTagsForCertificate", "cloudfront:listDistributionsByWebACLld", "cloudtrail:describeTrails", "cloudtrail:getEventSelectors", "cloudtrail:lookupEvents", "cloudwatch:getMetricData", "cloudwatch:listDashboards", "cloudwatch:getDashboard", "cloudwatch:listMetrics", "codepipeline:getPipeline", "codepipeline:getPipelineState", "codepipeline:listActionTypes", "codepipeline:listPipelineExecutions", "codepipeline:listPipelines", "ec2:describeCapacityReservations", "ec2:describeByoipCidrs", "ec2:describeDhcpOptions",
"ec2:describeNatGateways", "ec2:describeNetworkAcls", "ec2:describeNetworklnterfaces", "ec2:describePubliclpv4Pools", "ec2:describeRouteTables", "ec2:describeSecurityGroups", "ec2:describeSpotFleetRequests", "ec2:describeSpotlnstanceRequests", "ec2:describeSubnets", "ec2:describeVpcs", "elasticfilesystem:describeAccessPoints",
"elasticfilesystem:describeFileSystemPolicy", "elasticfilesystem:describeFileSystems", "elasticfilesystem:describelifecycleConfiguration", "elasticfilesystem:describeMountTargets", "elasticfilesystem:listTagsForResource", "elasticloadbalancing:describelisteners", "elasticloadbalancing:describeloadBalaneers", "elasticloadbalancing:describeTags", "elasticloadbalancing:describeTargetGroups", "elasticloadbalancing:describeTargetHealth", "events:describeRule", "events:listApiDestinations", "events:listConnections",
"events:listEventBuses", "events:listEventSources", "events:listRules", "events:listTargetsByRule", "guardduty:getFindings", "guardduty:listDetectors", "guardduty:listFindings", "guardduty:listlPSets",
"guardduty:listThreatlntelSets", "iam:getAccess KeylastUsed ", "iam:getGroupPolicy", "iam:getPolicy", "iam:getPolicyVersion", "iam:getRole", "iam:getRolePolicy", "iam:getServerCertificate", "iam:getUser", "iam:getUserPolicy", "iam:listAccessKeys", "iam:listAttachedGroupPolicies", "iam:listAttachedRolePolicies", "iam:listAttachedUserPolicies", "iam:listGroupPolicies", "iam:listGroupsForUser", "iam:listlnstanceProfiles", "iam:listMFADevices", "iam:listPolicies", "iam:listPolicyVersions", "iam:listRolePolicies", "iam:listRoles", "iam:listSSHPublicKeys", "iam:listServerCertificates", "iam:listUserPolicies", "iam:listUsers", "iam:listVirtualMFADevices", "lambda:getAccountSettings",
"lambda:listEventSourceMappings", "lambda:listFunctions", "lambda:listlayers", "lambda:getFunction",
"lambda:getPolicy", "lambda:listAliases",
"lambda:listProvisionedConcurrencyConfigs", "lambda:listVersionsByFunction", "logs:describeExportTasks", "logs:describelogGroups", "logs:describelogStreams", "logs:describeMetricFilters", "logs:describeSubscriptionFilters", "medialive:listChannels", "medialive:listlnputSecurityGroups", "medialive:listlnputs", "mobiletargeting:getAdmChannel", "mobiletargeting:getApnsChannel", "mobiletargeting:getApnsSandboxChannel", "mobiletargeting:getApnsVoipChannel", "mobiletargeting:getApnsVoipSandboxChannel", "mobiletargeting:getApplicationSettings", "mobiletargeting:getApps", "mobiletargeting:getBaiduChannel", "mobiletargeting:getCampaign", "mobiletargeting:getCampaignActivities", "mobiletargeting:getCampaignVersions", "mobiletargeting:getCampaigns", "mobiletargeting:getEmailChannel", "mobiletargeting:getEventStream", "mobiletargeting:getExportJobs", "mobiletargeting:getGcmChannel", "mobiletargeting:getlmportJobs", "mobiletargeting:getJourney",
"mobiletargeting:getJourneyExecutionActivityMetrics", "mobiletargeting:getJourneyExecutionMetrics",
"mobiletargeting:getJourneyRunExecutionActivityMetrics", "mobiletargeting:getJourneyRuns", "mobiletargeting:getSegment", "mobiletargeting:getSegmentlmportJobs", "mobiletargeting:getSegmentVersions", "mobiletargeting:getSegments", "mobiletargeting:getSmsChannel", "mobiIetargeting:IistJourneys",
"pipes:listPipes", "polly:describeVoices", "polly:listlexicons",
"rds:describeDBClusterParameterGroups", "rds:describeDBClusterParameters", "rds:describeDBClusterSnapshots", "rds:describeDBClusters", "rds:describeDBlnstances", "rds:describeDBParameterGroups", "rds:describeDBParameters", "rds:describeDBSecurityGroups", "rds:describeDBSnapshots", "rds:describeDBSubnetGroups", "rds:describeEvents", "rds:describePendingMaintenanceActions", "rds:listTagsForResource", "redshift:describeClusterParameterGroups", "redshift:describeClusterParameters", "redshift:describeClusterSnapshots", "redshift:describeClusterSubnetGroups", "redshift:describeClusters", "redshift:describeEventSubscriptions", "redshift:describeEvents", "redshift:describeloggingStatus",
"redshift:describeReservedNodes", "redshift:describeResize", "route53domains:getDomainDetail", "route53domains:get0perationDetail", "route53domains:listDomains", "route53d omains:IistOperations ", "scheduler:listScheduleGroups", "scheduler:listSchedules",
"servicequotas:listAWSDefaultServiceQuotas", "servicequotas:listServiceQuotas", "ssm:describeActivations", "ssm:describeAutomationExecutions", "ssm:describelnstancelnformation", "ssm:describeMaintenanceWindows", "ssm:describeParameters", "ssm:describePatchBaselines", "ssm:describePatchGroups", "ssm:listDocuments", "swf:describeActivityType", "swf:describeDomain", "swf:describeWorkflowExecution", "swf:describeWorkflowType", "swf:getWorkflowExecutionHistory", "swf:listActivityTypes", "swf:listClosedWorkflowExecutions", "swf:listDomains", "swf:listOpenWorkflowExecutions", "swf:listWorkflowTypes",
"waf-regional:getWebACL",
"waf-regional:listResourcesForWebACL", "waf-regional:listWebACLs", "waf:getWebACL",
"waf:listWebACLs"
],
"Resource": "*"
Comments
0 comments
Please sign in to leave a comment.