AWS Orgnizations & Accounts Flashcards
Can I have one or more organization master account?
No, each orgnization has one master account and this account.
If I set a policy at the master account, how will this policy be applied to all other accounts in the orgnization?
The policy is been set at the highest point in the organizational structure and as such will be applied ot all other accounts.
What two modes do organisation have an available?
- Consolidated billing
- All Features
Why would I use consolidated billing?
- You get to avail of the volume discounts
- One bill for all accounts
I have several accounts as part of my organization, I want too easily logging to each account without having to log out of the main org account as I also do not know what the root user of each account is, how cna I do this?
When you create these new sub-accounts, you have to select an IAM role name, this IAM ROLE is used to grant admin access to the account so you can switch to the account. This role has a trust relationship with the org account and permissions of the administrator.
I am creating a new account as part of my organization account, I want to allow this account only have access to S3 service, how cna I do this?
Use organizational policies to disable the services
What is a service control policy?
It enables you to control what services in an account can be accessed.
Will a service control policy have any effect on a master account?
No
Do service control policies grant you to use services?
No, you have to have the permission in a normal user or resource policy and the service control policy to get access.
What is a service limit in an aws account?
It iis a limit put on a resource, like the number of EIPs, you can request top have limits increased.
I am designing a solution that enables my user access AWS console, I will have 10K users, what is the best approach?
AWS accounts have a 5K limit so you will have to use a federation approach with SAML. This is where you will use SAML with an IP like ASD federation.
In a multi-account approach for AWS, what is the publishing account used for?
This is where you put all you AMI’s and centrally manage them.
In a multi-account approach for AWS, what is the logging account used for?
It is the one account/place where all logging are stored and managed for every account.
In a multi-account approach for AWS, I need to set up IAM for the multiple accounts, how cna I do this?
You are going to create a role in the accounts and in the IAM account, you are going to manage your users but creating a group and giving them the permission to assume the role created in the other accounts.
What are the organizations account structure you should use to provide separation of concerns?
B.I.L.P
- Billing (Master billing account)
- Identity account (Central IAM account)
- Logging account (All the logs into this account)
- Publishing account (Service catalogue, EC2 AMI)
How should I arrange IAM for an Organization?
One separate account for IAM management and cross-account IAM roles in other accounts or Federation.
When using Organizations how should we arrange to the logs of each of the account?
Creat on account for logging, feed all logs form all other accounts to this account, you can do this by selecting apply trail to all accounts when creating a cloud trail in cloud watch logs.
I what my Organization logging account to capture VPC flow logs, what are my options?
You can set up VPC flow logs to send data to CloudWatch
