AWS Organizations Flashcards
What is AWS Organizations?
A service that allows you collect, organize, and manage multiple AWS accounts.
2 feature sets:
consolidated billing
“All features”
Made up of root account and OUs.
What is an AWS account?
A container for your AWS resources
What are the different AWS account types?
Management Account (root/master) – A management account is the AWS account you use to create your organization.
Member Account – A member account is an AWS account, other than the management account, that is part of an organization.
What is an administrative root?
An administrative root is the starting point for organizing your AWS accounts. The administrative root is the top-most container in your organization’s hierarchy.
What is an OU?
An organizational unit (OU).
A group of AWS accounts within an organization. An OU can also contain other OUs enabling you to create a hierarchy.
What does an SCP do?
What entities does it apply to?
A Service Control Policy defines the AWS service actions, such as Amazon EC2 RunInstances, that are available for use in different accounts within an organization.
You can:
• set MAXIMUM permissions
•control tagging
• control available API actions.
Does NOT apply to the management account; DOES affect the root account in member accounts.
They do NOT GRANT permissions.
You must have all features enabled in the Organization
Affects only IAM users/roles, NOT resource policies.
What are best practices for the management account? (8)
- Use the management account only for tasks that require the management account.
- Use a group email address for the management account’s root user.
- Use a complex password for the management account’s root user.
- Enable MFA for your root user credentials.
- Add a phone number to the account contact information.
- Review and keep track of who has access.
- Document the processes for using the root user credentials.
- Apply controls to monitor access to the root user credentials.
Why might you want to use consolidated billing?
What is the limit?
If you pay on a tiered structure (the more you use the less the cost), then you pay less by aggregating across accounts.
Combined view of charges across accounts, single payment method.
Limit 20 linked accounts.
What are the account types in consolidated billing?
Paying account - can’t access the resources of other accounts
Linked accounts - all other accounts. All independent of each other
What is the Deny List Strategy?
Uses FullAWSAccess SCP attached to every OU and account. Explicitly allows all permissions to flow down from the root.
You create SCPs to explicitly deny permissions.
What is the Allow List Strategy?
Remove FullAWSAccess SCP. Nothing is permitted unless you explicitly allow them.
Create SCPs to allow permissions.
SCPs must be attached to the target account and every OU above it, including the root.
How do you migrate an account to another organization?
You must have root or IAM access to both accounts.
Use the console if it’s just a few accounts. Use the API or CLI if it’s a lot.
We need a way to create accounts programmatically.
Use the Organizations API.
What can be used to enforce tag standardizations?
Tag policies is the AWS Organization service that enforces tag standardization
AWS Organization Policies are applied to which entities?
Root accounts or OUs
