AWS Organizations Flashcards
IAM Organizational Units
What are IAM Organizational Units?
Understanding the functionalities and significance of IAM Organizational Units.
AWS feature for organizing and managing IAM policies and permissions within AWS Organizations.
Answer: IAM (Identity and Access Management) Organizational Units are a feature of AWS Organizations that allow organizations to organize and manage IAM policies and permissions within their AWS accounts. They provide a hierarchical structure for grouping AWS accounts and applying IAM policies at different levels of the organization, enabling centralized management and governance of access controls.
Real world Use-Case: Organizations use IAM Organizational Units for centralized management of IAM policies and permissions across multiple AWS accounts and resources. For example, they can use Organizational Units to enforce consistent access controls, policies, and permissions across different departments, teams, or business units within the organization.
Suitable Analogy: Think of IAM Organizational Units as virtual departments or divisions within an organization, each with its own set of access controls and permissions, much like departments in a company with different levels of access and authority. They provide a structured framework for managing access and permissions across the organization.
IAM Organizational Units allow organizations to delegate administration, set fine-grained permissions, and enforce security policies at different levels of the organizational hierarchy. They integrate seamlessly with other AWS services and features such as IAM roles, policies, and access management for comprehensive identity and access management in AWS environments.
Facilitates centralized management and governance of IAM policies and permissions within AWS Organizations, enabling organizations to enforce consistent access controls and security policies across their AWS accounts and resources.
Service Linked Roles
Service Linked Roles are AWS Identity and Access Management (IAM) roles that AWS creates on your behalf to enable services to access other AWS resources securely.
- Service Linked Roles establish a trust relationship between the service and the linked role.
- They help maintain least privilege by granting only the necessary permissions for the service to perform specific actions.
- Each Service Linked Role is uniquely associated with a specific AWS service.
- AWS manages the permissions associated with Service Linked Roles, reducing the administrative burden on users.
PassRolePermissions
PassRolePermissions in AWS refers to the IAM permission that allows a user, role, or service to pass an IAM role to an AWS service, granting that service permission to assume the role and access the associated resources.
Key Points:
* PassRolePermissions are crucial for delegating permissions to AWS services, such as Lambda, EC2, and ECS, to an assumed roles on your behalf.
* This permission is required when configuring services to use specific IAM roles for resource access.
* Without PassRolePermissions, the service cannot assume the specified role, leading to access errors or failures.
* PassRolePermissions should be carefully managed to prevent unauthorized access to sensitive resources.
Example:
Suppose you want to allow an AWS Lambda function to access resources in an Amazon S3 bucket. You would need to grant the Lambda execution role PassRolePermissions to pass the IAM role associated with S3 access to the Lambda service.
Service Linked Roles vs. Normal Roles
Key Difference
Key Considerations:
Service Linked Roles are specific to individual AWS services and are automatically managed by AWS.
Normal Roles are manually created by users and offer greater flexibility and customization options but require manual management of permissions.
Service Linked Roles:
-
Definition:
Created by AWS on behalf of users. Specifically associated with certain AWS services. -
Purpose:
Enable services to access other AWS resources securely.
Automatically created and managed by AWS. -
Permissions:
AWS manages the permissions associated with Service Linked Roles.
Limited to the actions required by the associated service.
Examples:
AWSServiceRoleForLambda
AWSServiceRoleForEC2SpotFleet
Normal Roles:
* Definition:
IAM roles manually created by users.
Can be associated with multiple services or resources - interanl and external to AWS account.
* Purpose:
Grant permissions to users, applications, or services for specific tasks.
Customizable based on user requirements.
* Permissions:
Users define and manage the permissions associated with Normal Roles.
Can have a wide range of permissions, depending on user configurations.
Examples:
AdministratorAccessRole
DeveloperRole
AWS Organizations and Organizational Units (OUs)
Key Considerations:
- AWS Organizations and OUs provide a scalable and efficient way to manage multiple AWS accounts and resources within an organization.
- Users can leverage OUs to apply policies and permissions hierarchically, ensuring consistent governance and security practices across the organization.
Definition:
- AWS Organizations is a service that enables centralized management of multiple AWS accounts.
- Organizational Units (OUs) are logical groupings within an AWS Organization used for organizing and managing accounts.
Purpose:
- AWS Organizations helps in centralizing billing, security, and compliance management across multiple AWS accounts.
- Organizational Units allow users to structure accounts hierarchically based on business units, departments, or applications.
Features:
- AWS Organizations offers consolidated billing, service control policies (SCPs), and cross-account access for streamlined management.
- OUs enable users to apply SCPs and service permissions at the OU level, simplifying management of access and permissions across accounts.
Benefits:
Simplifies billing and cost management by consolidating charges across multiple accounts.
Enhances security and compliance by enforcing consistent policies and permissions across the organization.
Facilitates resource sharing and collaboration while maintaining segregation of resources based on business requirements.
Service Control Policies (SCPs)
Service Control Policies (SCPs) are a feature of AWS Organizations that allow administrators to establish permission guardrails across multiple AWS accounts.
That means, they don’t grant permissions. IAM policies do that on specific identities. But, SCP can restrict the IAM policy’s ability to do so over targeted resources.
SCPs help enforce organizational policies and control the maximum available permissions for accounts within an AWS Organization.
Key Points:
* SCPs are JSON-based policies that define the permissions available to accounts and organizational units (OUs) within an AWS Organization.
* SCPs operate at the root level of an organization and can be applied to the entire organization or specific OUs.
* SCPs limit the actions that IAM entities (users and roles) can perform, regardless of the permissions policies attached to those entities, including the root user of an AWS account in the organization.
* They are primarily used to restrict permissions rather than grant them, acting as an additional layer of control.
* SCPs can be used to prevent accidental exposure of sensitive data, enforce regulatory compliance, and maintain security best practices across the organization.
Key Considerations:
SCPs help enforce centralized governance and control over AWS resources within an organization.
They are an essential tool for implementing security and compliance policies across multiple AWS accounts and organizational units.
