AWS Organizations

Question 1

AWS Organizations

Answer 1

enables creation of one organization for many AWS accounts for consolidated bill

can create accounts from AWS organization using Organizations API

can enable SSO using AWS SSO

can enable CloudTrail in management account and apply to members

Question 2

What are the two feature sets of AWS Organizations

Answer 2

Consolidated billing
All Features

Question 3

Consolidated Billing

Answer 3

ability to have a single bill in the main account - the management account

one credit card and one bill to pay in one place

can also get volume pricing discounts for services with tiered structure (aggregates usage of a a service across accounts to get a discount on a particular service)

Question 4

All Features

Answer 4

The ability to use service control policies and tagging policies

Question 5

With respect to organizations what is the root account

Answer 5

management account or master account used to create the organization and other accounts

Question 6

What are organizational units

Answer 6

account container where you can apply SCP and tagging policies to OUs

Question 7

What are organization policies applied to

Answer 7

root account or OUs

Question 8

What does consolidated billing include

Answer 8

Paying account
Linked account

Question 9

Paying Account

Answer 9

independent account and cannot access resources of other accounts

Question 10

Linked Accounts

Answer 10

all linked accounts are independent
member accounts of the organization

Question 11

SCP

Answer 11

Service Control Policies controls available API actions in organization

can be applied to accounts or OUs

OUs are hierarchical, so any permission denied to parent, will also be denied to children

will control the maximum available permissions

SCP do not grant Any permissions, they control the Available permissions

affect only IAM users and roles - not resource policies

do not affect any action performed by the management account

Question 12

AWS Control Tower

Answer 12

Creates a landing zone that can be tailored

Question 13

Landing Zone

Answer 13

is a well architected multi account baseline

Question 14

Describe baseline of landing zone

Answer 14

Creates set of an organization and this structure of accounts:
Security OU with Audit and Log Archive accounts
Sandbox OU with Dev/Test account
Management account in Root OU
Production OU with production account

Establishes preventive guardrails that disallow API actions using SCP

Establishes detective guardrails that are used for governance and compliance

Integration with IAM Identity Center where directory sources can be Identity Center, SAML 2.0 Identity provider, or Microsoft AD

Question 15

Management Account of Control Tower Landing Zone

Answer 15

The AWS account used to launch AWS Control Tower. The root user and IAM administrator have full access to all resources in the landing zone

Can’t restrict actions in management account

Question 16

Log archive account of Control Tower Landing Zone

Answer 16

Contains a central Amazon S3 bucket for storing a copy of all AWS Cloud Trail and AWS Config log files for all other accounts in the landing zone

Question 17

Audit account of Control Tower Landing Zone

Answer 17

Aggregates and stores logs collected from all other accounts in the landing zone. Secure account with restricted access.

Question 18

AWS Control Tower Detective Gaurdrails

Answer 18

designed to monitor and report on policy violations or non-compliant activities that have already occurred. They help in identifying misconfiguration or activities that do not adherer to the organizations policies

performed using AWS Config rules and Lambda functions

they continuously evaluate the configurations of AWS resources and generate alerts or reports when non compliance is detected

Question 19

AWS Control Tower Preventive Gaurdrails

Answer 19

designed to proactively prevent policy violations before they occur

they enforce compliance and security best practices by restricting certain actions or configurations

implemented using SCP that limit what users and roles can perform in the AWS accounts within the organization

Question 20

How many accounts can you have in an organization for consolidated billing?

Answer 20

20 linked accounts by default

Question 21

How is unused reserved EC instances applied in consolidated billing

Answer 21

It can be used across the OU or account?

Question 22

Best Practice for Paying accounts in consolidated billing

Answer 22

Paying accounts should only be used for billing purpose

Question 23

What must be enabled to use SCPs in an organization

Answer 23

All features

Question 24

Describe the Deny list strategy of SCP

Answer 24

Uses the FullAWSAccess SCP
Attached to every OU and account
Overrides the implicit deny
Explicitly allows all permissions to flow down from root
Create additional SCPs to explicitly deny permissions

Question 25

Describe the Allow list strategy of SCP

Answer 25

FullAWSAccess SCP is removed
No APIs are permitted anywhere unless you explicitly allow them
Create SCPs to allow permissions
SCPs must be attached to target account and every OU above it including root

Question 26

How does account migration into an organization work

Answer 26

Must have root or IAM access to both member and management accounts
Use the AWS organizations console for a few accounts otherwise use the Organization API or AWS CLI if there are many accounts to migrate