01 Accounts & Permissions Flashcards
Describe AWS Organisations.
AWS Organisations is a service that allows users to manage multiple AWS accounts in a hierarchical structure.
Define the management account in AWS Organisations.
The management account is the account that created the organisation and can invite other existing accounts to join.
How can existing accounts join an AWS Organisation?
Existing accounts can be invited to join an AWS Organisation, but they must agree to the invitation.
What are member accounts in AWS Organisations?
Member accounts are accounts that are part of an organisation, which can be either invited existing accounts or newly created accounts.
Describe the hierarchical structure of AWS Organisations.
The hierarchical structure includes an organisation root at the top level, with Organisation Units (OUs) as sub-groupings of accounts and other nested OUs.
Explain consolidated billing in AWS Organisations.
Consolidated billing allows charges from all member accounts to be billed to the management account, pooling reservations and volume discounts across the organisation.
What is the payer account in the context of AWS Organisations?
The payer account is another term for the management account, which handles the consolidated billing for all member accounts.
How does consolidated billing affect billing methods in AWS Organisations?
Consolidated billing overrides any billing methods that were added to accounts before they joined the organisation.
What is the best practice architectural pattern for accessing AWS accounts?
The best practice is to have a single AWS account for users to log into, using roles to perform actions in other accounts or to assume roles in those accounts.
Define Service Control Policies (SCPs) in AWS Organisations.
Service Control Policies (SCPs) are a feature that restricts what actions an account can perform within AWS Organisations.
How are Service Control Policies applied in AWS Organisations?
SCPs can be applied to the entire organisation, specific Organisation Units (OUs), or individual accounts, and they are enforced down the hierarchy.
Describe how Service Control Policies (SCPs) affect AWS accounts and organizational units (OUs).
Applying an SCP to an OU affects all accounts and nested OUs within that OU.
Do management accounts have restrictions imposed by SCPs?
Management accounts are not restricted by SCPs, but SCPs can still be applied to them.
Define the role of SCPs in relation to the root account of an AWS account.
SCPs are the only way to constrain the root account of an AWS account.
How can permissions be modeled in SCPs?
Permissions can be modeled as either a deny-list or an allow-list.
Explain the function of the managed FullAWSAccess
SCP.
The FullAWSAccess
SCP allows all actions and functions as a deny list, as other actions can be explicitly denied in other SCPs.