Account Management

Question 1

AWS Organizations

Answer 1

• Global service
• Manage multiple AWS accounts
• Main account is master account
• Pricing benefits from aggregated usage
• API available to automate AWS account creation
• Restrict account privileges using Service Control Policy (SCP)

Question 2

Multi Account Strategies

Answer 2

Create accounts per:
* Department
* Cost center
* Dev/test/prod

• Based on regulatory restrictions
• For better resource Isolation
• Separate per-account service limits
• Isolated account for logging.

Question 3

Service Control Policies (SCP)

Answer 3

• White or black list IAM actions
• Applied at the OU / Account level
• Does not apply to Master Account
• Applied to all Users and Roles of the account including root user
• Does not affect service-linked roles
• Must have explicit allow
• Restrict access to certain services
• Enforce PCI compliance by explicitly disabling services

Question 4

AWS Organization - Consolidated Billing

Answer 4

• Combined Usage across all accounts
• Share volume pricing, Reserved Instances, and Savings Plans discounts
• One Bill
• Management account can turn off Reserved Instances

Question 5

AWS Control Tower

Answer 5

• Setup and govern a secure and compliant multi-account AWS environment based on best practices
• Automate setup of environment
• Automate ongoing policy management using guardrails
• Detect policy violations and remediate
• Monitor compliance with interactive dashboard
• Runs on top of AWS Organizations

Question 6

AWS Resource Access Manage (AWS RAM)

Answer 6

• Share resources with other accounts
• Share with any acct or acct within your org
• Avoid resource duplication

Question 7

AWS Service Catalog

Answer 7

Quick self-service portal to launch a set of authorized products pre-defined by admins (kinda like sw center)