AWS Organizations | Permissions Flashcards
How many levels can I have in my OU hierarchy?
Permissions
AWS Organizations | Security, Identity & Compliance
You can nest your OUs five levels deep. Including root and AWS accounts created in the lowest OUs, your hierarchy can be five levels deep.
How can I control who can manage my organization?
Permissions
AWS Organizations | Security, Identity & Compliance
You control who can manage your organization and its resources in the same way that you manage access to your other AWS resources: you attach IAM policies to IAM users, groups, or roles in the master account. With IAM policies, you can control the following:
Creating an organization, organization unit (OU), or AWS account.
Adding, moving, and removing AWS accounts to and from your organization and OUs.
Creating policies and attaching them to the root of your organization, OUs, and individual accounts.
Why is there an IAM role defined in every account that I create using AWS Organizations?
Permissions
AWS Organizations | Security, Identity & Compliance
This role enables users in the master account to access a new member account. A new member account initially doesn’t have any users or passwords and can be accessed only by using this role. After you use the role to access the member account and create at least one IAM user with administrator permissions in it, you can safely delete the role if you want. For more information about IAM roles and users, see Accessing a Member Account That Has a Master Account Access Role.
Can I grant permission to manage my organization to IAM users in any AWS member account in my organization?
Permissions
AWS Organizations | Security, Identity & Compliance
Yes. If you want to grant IAM users in a member account permission to manage your entire organization or parts of your organization, you can use IAM roles. You create a role with the appropriate permissions in the master account and allow users or roles in the member account to assume the new role. This is the same cross-account method that you use to grant an IAM user in one account access to a resource (for example, an Amazon DynamoDB table) in another account.
Can an IAM user in a member account sign in to my organization?
Permissions
AWS Organizations | Security, Identity & Compliance
No. IAM users can sign in only to their associated member account in your organization.
Can an IAM user sign in to an OU in my organization?
Permissions
AWS Organizations | Security, Identity & Compliance
No. IAM users can sign in only to their associated AWS account in your organization.