AWS Organizations Flashcards
AWS Organizations
enables creation of one organization for many AWS accounts for consolidated bill
can create accounts from AWS organization using Organizations API
can enable SSO using AWS SSO
can enable CloudTrail in management account and apply to members
What are the two feature sets of AWS Organizations
Consolidated billing
All Features
Consolidated Billing
ability to have a single bill in the main account - the management account
one credit card and one bill to pay in one place
can also get volume pricing discounts for services with tiered structure (aggregates usage of a a service across accounts to get a discount on a particular service)
All Features
The ability to use service control policies and tagging policies
With respect to organizations what is the root account
management account or master account used to create the organization and other accounts
What are organizational units
account container where you can apply SCP and tagging policies to OUs
What are organization policies applied to
root account or OUs
What type of accounts does consolidated billing include
Paying account
Linked account
Paying Account
independent account and cannot access resources of other accounts
Linked Accounts
all linked accounts are independent
member accounts of the organization
SCP
Service Control Policies controls available API actions in organization
can be applied to accounts or OUs
OUs are hierarchical, so any permission denied to parent, will also be denied to children
will control the maximum available permissions
SCP do not grant Any permissions, they control the Available permissions
affect only IAM users and roles - not resource policies
do not affect any action performed by the management account
AWS Control Tower
Creates a landing zone that can be tailored
Landing Zone
is a well architected multi account baseline
Describe baseline of landing zone
Creates set of an organization and this structure of accounts:
Security OU with Audit and Log Archive accounts
Sandbox OU with Dev/Test account
Management account in Root OU
Production OU with production account
Establishes preventive guardrails that disallow API actions using SCP
Establishes detective guardrails that are used for governance and compliance
Integration with IAM Identity Center where directory sources can be Identity Center, SAML 2.0 Identity provider, or Microsoft AD
Management Account of Control Tower Landing Zone
The AWS account used to launch AWS Control Tower. The root user and IAM administrator have full access to all resources in the landing zone
Can’t restrict actions in management account
Log archive account of Control Tower Landing Zone
Contains a central Amazon S3 bucket for storing a copy of all AWS Cloud Trail and AWS Config log files for all other accounts in the landing zone
Audit account of Control Tower Landing Zone
Aggregates and stores logs collected from all other accounts in the landing zone. Secure account with restricted access.
AWS Control Tower Detective Gaurdrails
designed to monitor and report on policy violations or non-compliant activities that have already occurred. They help in identifying misconfiguration or activities that do not adherer to the organizations policies
performed using AWS Config rules and Lambda functions
they continuously evaluate the configurations of AWS resources and generate alerts or reports when non compliance is detected
AWS Control Tower Preventive Gaurdrails
designed to proactively prevent policy violations before they occur
they enforce compliance and security best practices by restricting certain actions or configurations
implemented using SCP that limit what users and roles can perform in the AWS accounts within the organization
How many accounts can you have in an organization for consolidated billing?
20 linked accounts by default
How is unused reserved EC instances applied in consolidated billing
It can be used across the OU or account?
Best Practice for Paying accounts in consolidated billing
Paying accounts should only be used for billing purpose
What must be enabled to use SCPs in an organization
All features
Describe the Deny list strategy of SCP
Uses the FullAWSAccess SCP
Attached to every OU and account
Overrides the implicit deny
Explicitly allows all permissions to flow down from root
Create additional SCPs to explicitly deny permissions
Describe the Allow list strategy of SCP
FullAWSAccess SCP is removed
No APIs are permitted anywhere unless you explicitly allow them
Create SCPs to allow permissions
SCPs must be attached to target account and every OU above it including root
How does account migration into an organization work
Must have root or IAM access to both member and management accounts
Use the AWS organizations console for a few accounts otherwise use the Organization API or AWS CLI if there are many accounts to migrate
