AWS Orgnizations & Accounts Flashcards
Can I have one or more organization master account?
No, each orgnization has one master account and this account.
If I set a policy at the master account, how will this policy be applied to all other accounts in the orgnization?
The policy is been set at the highest point in the organizational structure and as such will be applied ot all other accounts.
What two modes do organisation have an available?
- Consolidated billing
- All Features
Why would I use consolidated billing?
- You get to avail of the volume discounts
- One bill for all accounts
I have several accounts as part of my organization, I want too easily logging to each account without having to log out of the main org account as I also do not know what the root user of each account is, how cna I do this?
When you create these new sub-accounts, you have to select an IAM role name, this IAM ROLE is used to grant admin access to the account so you can switch to the account. This role has a trust relationship with the org account and permissions of the administrator.
I am creating a new account as part of my organization account, I want to allow this account only have access to S3 service, how cna I do this?
Use organizational policies to disable the services
What is a service control policy?
It enables you to control what services in an account can be accessed.
Will a service control policy have any effect on a master account?
No
Do service control policies grant you to use services?
No, you have to have the permission in a normal user or resource policy and the service control policy to get access.
What is a service limit in an aws account?
It iis a limit put on a resource, like the number of EIPs, you can request top have limits increased.
I am designing a solution that enables my user access AWS console, I will have 10K users, what is the best approach?
AWS accounts have a 5K limit so you will have to use a federation approach with SAML. This is where you will use SAML with an IP like ASD federation.
In a multi-account approach for AWS, what is the publishing account used for?
This is where you put all you AMI’s and centrally manage them.
In a multi-account approach for AWS, what is the logging account used for?
It is the one account/place where all logging are stored and managed for every account.
In a multi-account approach for AWS, I need to set up IAM for the multiple accounts, how cna I do this?
You are going to create a role in the accounts and in the IAM account, you are going to manage your users but creating a group and giving them the permission to assume the role created in the other accounts.
What are the organizations account structure you should use to provide separation of concerns?
B.I.L.P
- Billing (Master billing account)
- Identity account (Central IAM account)
- Logging account (All the logs into this account)
- Publishing account (Service catalogue, EC2 AMI)
How should I arrange IAM for an Organization?
One separate account for IAM management and cross-account IAM roles in other accounts or Federation.
When using Organizations how should we arrange to the logs of each of the account?
Creat on account for logging, feed all logs form all other accounts to this account, you can do this by selecting apply trail to all accounts when creating a cloud trail in cloud watch logs.
I what my Organization logging account to capture VPC flow logs, what are my options?
You can set up VPC flow logs to send data to CloudWatch
I want to ensure that I have a centralized way to manage AMI & Service Catalogue, what are my options?
Create a publishing account and use this account for central management of AMI or
What are the primary features of Organizations?
- Account management
Consolidated billing - Policy-based management
Are tags supported in organizations?
Yes
What are the three key functions of an AWS account?
- Authentication
- Authorization
- Billing
When you create a new AWS account,what is the default user?
- Root user
What is principal, authenticate and authorize?
Principal: Who was authenticated and is authorized/or not.
How can a principal authenticate with AWS?
A principal can use,
- user name/password
- key pairs
What are the two functions stores provided by IAM?
- Identity store
- Access store
Do service control policies give you access to services?
No, you can only deny access
Is the default of a service control policy a deny or allow?
Deny, to allow you have to explicitly call it our in the policy.
If there is an explicit Deny, and also an explicit Allow, will that Allow win and you will be able to use the service?
No, the explicit Deny will win and you will be denied access.
Why would you use orgnizations?
- Consolidated billing
- Centralized account management
- Tagging policies
- Hierarchical grouping of your accounts to meet your budgetary, security, or compliance need
- Adds a higher level to IAM, where you can control the services available on the accounts, even the root user of the account.
I am having trouble with developer adding tags that are formatted differently between the developer, I am also using Orgnizations, how cna I fix this?
Create a Tagging policy and add to the orgnization, with the tagging policy you can enforce tags and format.
Are you charged for tagging policies?
No
Can I add Tags to users and roles?
Yes 100%
Are most resources in AWS allowing tags?
Yes most all resources in AWS allow tags
I have developers gone wild creating tags everywhere and in many different formats, how solve this, explain the steps?
- In orgnizations, you will have to enable tag policies in the setting
- Create a tag policy in the orgnizations.
- Attach the Tag Policy to the root, account, OU
How cna I enforce resource to not be created if they are not tagged correctly?
Use a tagging policy, select enforce no
I wnat to know what Tages are not compliant, is this possible?
Yes, there is a feature to see non-compliant tagging report.
Is orgnization a regional service?
No, it is a global service like IAM
Does organizations operate a eventual consistent model?
Yes, 100%, all data is not sync but is eventually consistent.
What is the cost of Orgnizations?
No charge, like IAM
Can you delete the orgnization, explain?
Yes, remove accounts and also remove the master account by deleting the orgnization.
I want to monitor changes in my Orgnization, and send an email to me when changes happen, how can I do this?
You use CloudWatch Events (cloud trail selector) to trigger an SNS message to be sent by email to the subscriber.
I want to monitor changes in my Orgnization, and have an entry put in DynamoDB for each change, how can I do this?
You can use Cloudwatch events (cloud trail selector) to trigger a lambda function thet can write an entry in DynamoDB
What is enable All Features?
It enables all features of orgnizations like consolidated billing, tagging policies, service control policies.
I have Resource Manager and I wnat to enable this service in my Orgnization, explain how I do this?
You enable this service in the setting of the orgnization, what you are doing is enabling this service as a trusted service of the orgnization. This means the service can create service linked roles on all the accounts in your organization
