AWS Orgnizations & Accounts Flashcards
1
Q
Can I have one or more organization master accounts?
A
No, each orgnization has one master account and this account.
2
Q
If I set a policy at the master account, how will this policy be applied to all other accounts in the orgnization?
A
The policy is been set at the highest point in the organizational structure and as such will be applied ot all other accounts.
3
Q
What two modes do organisation have an available?
A
- Consolidated billing
- All Features
4
Q
Why would I use consolidated billing?
A
- You get to avail of the volume discounts
- One bill for all accounts
5
Q
I have several accounts as part of my organization, I want too easily logging to each account without having to log out of the main org account as I also do not know what the root user of each account is, how cna I do this?
A
When you create these new sub-accounts, you have to select an IAM role name, this IAM ROLE is used to grant admin access to the account so you can switch to the account. This role has a trust relationship with the org account and permissions of the administrator.
6
Q
I am creating a new account as part of my organization account, I want to allow this account only have access to S3 service, how cna I do this?
A
Use organizational policies to disable the services
7
Q
What is a service control policy?
A
It enables you to control what services in an account can be accessed.
8
Q
Will a service control policy have any effect on a master account?
A
No
9
Q
Do service control policies grant you to use services?
A
No, you have to have the permission in a normal user or resource policy and the service control policy to get access.
10
Q
What is a service limit in an aws account?
A
It iis a limit put on a resource, like the number of EIPs, you can request top have limits increased.
11
Q
I am designing a solution that enables my user access AWS console, I will have 10K users, what is the best approach?
A
AWS accounts have a 5K limit so you will have to use a federation approach with SAML. This is where you will use SAML with an IP like ASD federation.
12
Q
In a multi-account approach for AWS, what is the publishing account used for?
A
This is where you put all you AMI’s and centrally manage them.
13
Q
In a multi-account approach for AWS, what is the logging account used for?
A
It is the one account/place where all logging are stored and managed for every account.
14
Q
In a multi-account approach for AWS, I need to set up IAM for the multiple accounts, how cna I do this?
A
You are going to create a role in the accounts and in the IAM account, you are going to manage your users but creating a group and giving them the permission to assume the role created in the other accounts.
15
Q
What are the organizations account structure you should use to provide separation of concerns?
A
B.I.L.P
- Billing (Master billing account)
- Identity account (Central IAM account)
- Logging account (All the logs into this account)
- Publishing account (Service catalogue, EC2 AMI)
16
Q
How should I arrange IAM for an Organization?
A
One separate account for IAM management and cross-account IAM roles in other accounts or Federation.
17
Q
When using Organizations how should we arrange to the logs of each of the account?
A
Creat on account for logging, feed all logs form all other accounts to this account, you can do this by selecting apply trail to all accounts when creating a cloud trail in cloud watch logs.
18
Q
I what my Organization logging account to capture VPC flow logs, what are my options?
A
You can set up VPC flow logs to send data to CloudWatch
19
Q
I want to ensure that I have a centralized way to manage AMI & Service Catalogue, what are my options?
A
Create a publishing account and use this account for central management of AMI or
20
Q
What are the primary features of Organizations?
A
- Account management
Consolidated billing - Policy-based management
21
Q
Are tags supported in organizations?
A
Yes
22
Q
What are the three key functions of an AWS account?
A
- Authentication
- Authorization
- Billing
23
Q
When you create a new AWS account,what is the default user?
A
- Root user
24
Q
What is principal, authenticate and authorize?
A
Principal: Who was authenticated and is authorized/or not.
25
How can a principal authenticate with AWS?
A principal can use,
- user name/password
- key pairs
26
What are the two functions stores provided by IAM?
- Identity store
| - Access store
27
Do service control policies give you access to services?
No, you can only deny access
28
Is the default of a service control policy a deny or allow?
Deny, to allow you have to explicitly call it our in the policy.
29
If there is an explicit Deny, and also an explicit Allow, will that Allow win and you will be able to use the service?
No, the explicit Deny will win and you will be denied access.
30
Why would you use orgnizations?
- Consolidated billing
- Centralized account management
- Tagging policies
- Hierarchical grouping of your accounts to meet your budgetary, security, or compliance need
- Adds a higher level to IAM, where you can control the services available on the accounts, even the root user of the account.
31
I am having trouble with developer adding tags that are formatted differently between the developer, I am also using Orgnizations, how cna I fix this?
Create a Tagging policy and add to the orgnization, with the tagging policy you can enforce tags and format.
32
Are you charged for tagging policies?
No
33
Can I add Tags to users and roles?
Yes 100%
34
Are most resources in AWS allowing tags?
Yes most all resources in AWS allow tags
35
I have developers gone wild creating tags everywhere and in many different formats, how solve this, explain the steps?
- In orgnizations, you will have to enable tag policies in the setting
- Create a tag policy in the orgnizations.
- Attach the Tag Policy to the root, account, OU
36
How cna I enforce resource to not be created if they are not tagged correctly?
Use a tagging policy, select enforce no
37
I wnat to know what Tages are not compliant, is this possible?
Yes, there is a feature to see non-compliant tagging report.
38
Is orgnization a regional service?
No, it is a global service like IAM
39
Does organizations operate a eventual consistent model?
Yes, 100%, all data is not sync but is eventually consistent.
40
What is the cost of Orgnizations?
No charge, like IAM
41
Can you delete the orgnization, explain?
Yes, remove accounts and also remove the master account by deleting the orgnization.
42
I want to monitor changes in my Orgnization, and send an email to me when changes happen, how can I do this?
You use CloudWatch Events (cloud trail selector) to trigger an SNS message to be sent by email to the subscriber.
43
I want to monitor changes in my Orgnization, and have an entry put in DynamoDB for each change, how can I do this?
You can use Cloudwatch events (cloud trail selector) to trigger a lambda function thet can write an entry in DynamoDB
44
What is enable All Features?
It enables all features of orgnizations like consolidated billing, tagging policies, service control policies.
45
I have Resource Manager and I wnat to enable this service in my Orgnization, explain how I do this?
You enable this service in the setting of the orgnization, what you are doing is enabling this service as a trusted service of the orgnization. This means the service can create service linked roles on all the accounts in your organization
46
What is an aws identity center service control policies?
Service Control policies:
SCPs can be used to control what actions users and roles, including those managthe ed through AWS Identity Center, can perform within AWS accounts.
For example, you can use an SCP to prevent users from launching certain EC2 instances or accessing specific S3 buckets, regardless of their permthe issions in AWS Identity Center.
Specifically, a function allows you to control account instance creation of the identity center itself, using SCP's. So you can limit which accounts are allowed to create identity center instances.
47
In AWS, What is an organizational unit, and where would it be used?
It is used in AWS Orgnizations as part of creating an organization structure, the OU is constructed under the root OU and many are like development, customer-facing, accounts are constructed under the OSs.
48
In AWS, can you have an OS un an OU?
Yes
49
In AWS, how is account administration performed when you have several accounts in the organization?
There will be a single management account called the management account; all other accounts will be given a role that enables them to be accessed by the management account. This role is called the OrganizationAccountAccessRole.
50
When you create an AWS account using the API, do you get an organization account access role?
Yes
51
When do you not get an organization account access role for an account?
When the account is created outside of the API belonging to the organization
52
How is the organization account access role used for managing other accounts?
The Organisation Account Access Role is used by the Management Account to access other accounts in the organization, and this is done by assuming the Organisation Account Access Role.
53
How would you normally organize multiple accounts within an organization?
you would mimic the structure of the organization to have OUs that represent how the organization is structured.
54
I have several accounts in my AWS organization, and they currently have separate billing. I would like to have a single bill. Is this possible within AWS?
To configure Consolidated Billing in AWS, you need to use the AWS Organizations service. Consolidated Billing allows you to combine billing for multiple AWS accounts into one payer account, which can help you manage costs and potentially benefit from volume discounts.
Steps to Configure Consolidated Billing
✅ Step 1: Sign in as the Management Account
Go to the AWS Organizations console.
Sign in with the management account (previously called the master account).
✅ Step 2: Create an Organization (if not already created)
In the Organizations console, choose Create organization.
Choose Enable all features (recommended for full control) or Consolidated billing features only if you want the minimum required.
✅ Step 3: Invite Member Accounts
In the Accounts section, click Add an AWS account.
You can either:
Invite an existing AWS account by email or account ID.
Create a new AWS account directly under your organization.
The invited account must accept the invitation via email or their AWS Organizations dashboard.
✅ Step 4: View Billing Information
The management (payer) account receives the consolidated bill for all linked accounts.
Go to the Billing Dashboard > Bills to view a breakdown by Linked Accounts.
Key Features of Consolidated Billing
One bill for all accounts.
Volume discounts aggregated across accounts.
Separate cost tracking per linked account (via cost allocation tags and reports).
Linked accounts can’t see each other’s resources, only billing is shared.
55
In AWS, what is route access management?
- **Root User**: Created with the AWS account; full access to all services.
- **Credentials**: Use your account email + password to sign in as root.
- **Best Practice**: Use root user *only* for tasks that require it. Don't use it daily.
- **Security**: Enable **MFA** on root user (strongly recommended).
- **Root-only Tasks** include:
- Change root email/password, account name
- Restore IAM permissions
- Close the AWS account
- View some billing info
- Fix misconfigured S3/SQS policies that block all access
- **Central Management**:
- Use AWS Organizations to centrally manage member account root access.
- Option to remove root credentials from member accounts.
- Management account can perform privileged tasks centrally.
- **Recovery**: Password recovery can be enabled per account; recommended to disable once done.
- **GovCloud Tasks**: Some GovCloud-specific root tasks exist (e.g., key access).
- **Monitoring**: You can use EventBridge to monitor root user activity.
---
✅ Answer: What is the route access management in AWS?
In **AWS**, **route access management** primarily refers to how **access to critical root-level actions is handled**. This is done through:
- **AWS Root User**: The single identity that can perform all actions across the account.
- **IAM Users / Roles**: Created to perform daily tasks without needing root credentials.
- **AWS Organizations**: Used to **centrally manage access** to root credentials across multiple AWS accounts.
- **MFA and Monitoring**: MFA secures root access, and monitoring tools like **CloudTrail** and **EventBridge** track usage.
- **Privileged Tasks**: Only root can perform specific actions like deleting blocked S3 policies, managing billing settings, or recovering IAM permissions.
So in essence, **route access management** is about **protecting and controlling access to the AWS root user**, limiting its use, and **delegating daily access** through IAM and Organizations.
Let me know if you want a visual cheat sheet or flashcards on this topic!
56
Why would you have consolidated billing for AWS?
Because when you have consolidated billing in AWS, you have discounts based on all of the aggregated resources across all accounts that are used.
57
Can you prevent accounts from leaving an organization, and if so, how would you do it?
Create a service control policy to disable the ability for the account to be removed from the organization.
58
For consolidated billing, are all organizational accounts treated as a single account?
Yes, all organization accounts are treated as a single account when a organization single billing is enabled.
59
Is it possible to select a single account and have the reserved instance discount and saving plans discounted from that particular account?
Yes, this is possible by using the management account to turn off reserved instance discounts and savings plans discounts from that particular account.
60
In AWS, I currently have a single account which was not part of an organization. Is it possible to add this single account to the organization?
Yes, it's possible to add a single account that was not part of an organization to an organization. You would go to the management console, using the management console, you would go to organizations, and in organizations, select the management account and invite the external account that is not part of the organization.
61
For Service Control Policies, is it Allow List, Block List or Both?
It is balls.
62
Is the service control policy applied at the OU level or the account level?
The Service Control Policies can be applied at both the OU and the Account levels, but they cannot be applied to a management account.
63
How can I apply a service control policy to a management account?
You can't. Service control policies are never applied to a management account.
64
When using service control policies in an account that is not the management account, is the service control policies also applied to the root user?
Yes, 100 percent. In a situation where the service control policies are applied to a non-management account, the service control policies will affect the root user, users, and roles of that account.
65
In AWS, do service control policies affect the service-linked roles?
No.
66
I have just met with the PCI compliance officer and I require a way to lock down an AWS account that is part of an organization. How might I go about doing this and what service or feature would I use in AWS?
Use service control policies to lock down the services and features of the account that you do not want users to access, and this will be in compliance with PCI.
67
I am applying a service control policy to the management account. What effect will it have?
None as management accounts are not affected by service control policies.
68
In AWS, when using service control policies, does an explicit deny override an explicit allow?
Yes, an explicit deny always overrides an explicit allow.
69
If you apply a Service Control Policy to your management account to deny ATINA, what effect will it have?
It will have no effect as Service Control Policies do not affect management accounts.
70
In AWS organizations you have an OU called Sandbox and then we apply, we do not apply any service control policy to this. What access will be enabled?
No access will be for any of the accounts that are part of the Sandbox, and the reason is that you have to explicitly allow for access to be given.
71
If I deny everything at the root level, what access has all accounts within the organization got given that full access is given to all other accounts?
No access will be given to anything, even though there's an explicit allow on every single account. The root-level deny will deny it to all accounts part of the OU.
72
Can you create service control policies based on tags?
Yes, you can evaluate based on Service Control Policies (SCPs) based on tags using the condition and the AWS tag keys.
73
How would you use an AWS Service Control Policy to deny a whole region
You would use a condition, string equals AWS request regent.
74
I have a requirement to ensure that the proper tags are always attached to resources. How would I go about doing this?
You would use a service control policy based on the proper signing out to the OU. On that service control policy, you would use a condition and you would set the requested tag so that would be AWS:request-tag/project:true for instance.
75
In my organization I have a requirement to ensure that all EC2 instances are backed up using the backup policy. How can I do this
Using organizations and service control policies you can create a policy that forces EC2 instances to always have an assigned backup policy attached.
76
A multi-national company operates hundreds of AWS accounts and the CTO wants to rationalize the operational costs. The CTO has mandated a centralized process for purchasing new Reserved Instances (RIs) or modifying existing RIs. Whereas earlier the business units (BUs) would directly purchase or modify RIs in their own AWS accounts independently, now all BUs must be denied independent purchase and the BUs must submit requests to a dedicated central team for purchasing RIs.
As an AWS Certified Solutions Architect Professional, which of the following solutions would you combine to enforce the new process most efficiently? (Select two)
To enforce a centralized Reserved Instances (RI) purchasing process across hundreds of AWS accounts, while preventing Business Units (BUs) from independently purchasing or modifying RIs, the best solutions to combine are:
---
✅ **1. Use AWS Organizations with SCPs (Service Control Policies)**
- **Why:** SCPs are the most effective way to restrict actions across multiple AWS accounts under an AWS Organization.
- **How it helps:** You can create a **deny policy for `ec2:PurchaseReservedInstancesOffering` and `ec2:ModifyReservedInstances`**, and attach it to the BU accounts' Organizational Units (OUs).
- **Enforces:** Prevents BU accounts from independently purchasing or modifying RIs.
---
✅ **2. Use an AWS Service Catalog with pre-approved RI configurations (optional, as a support tool)**
- **Why:** While SCPs enforce restrictions, the **Service Catalog** can be used by the central team to distribute pre-approved RI purchasing templates.
- **Alternative:** If automation and approvals are needed, you might instead use **AWS Service Catalog with AWS ServiceNow integration** or **AWS Service Catalog AppRegistry** to manage who can request/purchase specific instances.
---
Other reasonable options **that are *not* correct for direct enforcement** but often considered:
- **IAM Policies:** Good for permissions **within an account**, but they don’t prevent actions across all accounts like SCPs can.
- **Billing Alerts or Budgets:** These **notify after the fact**, but don’t prevent the action.
- **Tagging Policies:** Helps with governance, but **can’t block RI purchases**.
---
✅ Final Answer:
> **1. Service Control Policies (SCPs)**
> **2. Centralized Reserved Instance purchasing through a dedicated account or Service Catalog (with pre-approved process)**
Let me know if you want a diagram or SCP example!
77
Explain aws orgnization all features mode?
In **AWS Organizations**, the **"All Features"** mode is the most comprehensive and powerful way to manage multiple AWS accounts under a single umbrella. Here's a detailed explanation of what it means and includes:
---
🔹 What is AWS Organizations?
AWS Organizations lets you **centrally manage multiple AWS accounts**. It supports account creation, consolidated billing, and policy-based management.
There are **two feature sets** you can choose when setting up an organization:
- **Consolidated Billing Only**
- **All Features** ✅ (the more powerful option)
---
✅ What is **All Features** Mode?
When an organization is set up in **All Features** mode, it allows **full use of all available organization management features**.
---
🧩 Key Features of **All Features** Mode
| Feature | Description |
|--------|-------------|
| **Service Control Policies (SCPs)** | Define guardrails across accounts. You can restrict what services and actions are allowed even if an account has full IAM permissions. |
| **Full Organizational Units (OUs)** | Group accounts into **hierarchies** for structured policy management. SCPs can be applied at the OU level. |
| **Delegated Administrators** | Assign specific AWS accounts within your organization to manage AWS services (like AWS Config, SSO, CloudFormation StackSets) for the whole org. |
| **Tag Policies** | Enforce rules for tagging AWS resources across accounts. Helps with cost tracking, compliance, and automation. |
| **Trusted Access with AWS Services** | Allow AWS services (like AWS Config, CloudTrail, Backup, etc.) to integrate across all accounts centrally. |
| **Cross-Account Access** | Enable fine-grained permissions and trust policies between accounts. |
| **Account Creation via API** | Use the **CreateAccount API** to programmatically create new AWS accounts under your org. |
| **Centralized Billing + Cost Tracking** | View and manage billing centrally, while using cost allocation tags and reports per account. |
| **AWS Backup & Security Hub Centralization** | Manage backup, security, and compliance settings from a single admin account. |
---
⚙️ Governance at Scale
- You can **restrict actions globally** with SCPs (e.g., deny deletion of CloudTrail logs).
- Enforce **organizational security baselines**.
- Standardize compliance using **automated account setup with CloudFormation StackSets**.
---
🆚 Consolidated Billing vs All Features
| Feature | Consolidated Billing | All Features |
|--------|-----------------------|--------------|
| Centralized Billing | ✅ | ✅ |
| Service Control Policies | ❌ | ✅ |
| Tag Policies | ❌ | ✅ |
| Delegated Admins | ❌ | ✅ |
| Trusted Service Access | ❌ | ✅ |
| Account Creation via API | ❌ | ✅ |
---
🛠️ Best Use Cases
- Large organizations managing many accounts
- Need for **security boundaries** and **policy enforcement**
- Centralized control with **decentralized responsibility**
- **Cost optimization**, **compliance**, and **automated provisioning**
---
Would you like a visual diagram or example setup with OUs and policies?
78
79
