Governance

Question 1

What is AWS Organizations?

Answer 1

Service for governance of multiple AWS Accounts

Question 2

What are 5 main features of Organizations?

Answer 2

1. Consolidated Billing
2. Service Control Policies
3. CloudTrail Logging Account
4. Easily Create/Destroy AWS Accounts
5. Share Reserved Instance Capacity across accounts

Question 3

What is special about a SCP?

Answer 3

It has the final say when applied, even on a root account.

Will be applied to all resources in account

Question 4

Can SCP give permissions?

Answer 4

No they do not give permissions (allows in SCP only give the potential to make calls), only takes them away

Question 5

What should you do if you want to have centralized logs and ensure they can’t be edited or deleted?

Answer 5

Use Organizations to create a logging account, and a SCP attached to the account to restrict changes

Question 6

What is a SCP?

Answer 6

A policy that ensure guardrails are adhered to in AWS accounts by limiting user permissions

Question 7

What is Resource Access Manager?

Answer 7

Way to easily share resources between AWS Accounts in the same Organization or intra-Organization like sharing a VPC Subnet

Question 8

What is Cross Account Role Access?

Answer 8

Enables temporary access between accounts to prevent needing duplicate IAM Accounts/users

Question 9

What does Cross Account Role Access consist of?

Answer 9

Create a role that allows a trusted entity from an account id to assume, and attach policies to this role

Question 10

What is AWS Config?

Answer 10

Inventory management and control tool. Can let you know what infastructure is in your account, rules to ensure they conform and auto remediate, see history of changes

Question 11

What does AWS Config use to remediate?

Answer 11

It uses Automation Documents

Question 12

When should you use AWS Config?

Answer 12

When the exam mentions using a standard that needs to be managed across accounts

Question 13

Can you share the default VPC using Resource Access Manager?

Answer 13

No you cannot

Question 14

What does Resource Access Manager consist of?

Answer 14

Share a resource like vpc subnet, with a particular aws account id, and specify the actions the principal can take on the shared resource

Question 15

What are the 3 types of AWS Actiive Directory?

Answer 15

1. Managed Microsoft AD
2. AD Connector
3. Simple AD

Question 16

What is Managed Microsoft AD?

Answer 16

An entirely AWS managed AD, full featured in the Cloud

Question 17

What is an AD Connector?

Answer 17

Tunnel between on-prem AD and AWS where you can leave your AD on-prem, but still authenticate using AD within AWS

Question 18

What is Simple AD?

Answer 18

Linux Samba AD, standalone AD, not fully featured

Question 19

What is AWS Cost explorer?

Answer 19

Tool that lets you visualize and see where your cloud costs are, build reports and can be done by e.g. resource tags

Question 20

What are 3 types of reports Cost Explorer can give you?

Answer 20

1. By time
2. By service
3. By filter e.g. tags or categories or region

Question 21

What must you do for Cost Explorer to filter by tags?

Answer 21

You must opt in for each tag as a cost allocation tag in billing portal

Question 22

What can Cost Explorer do other than report and visualize?

Answer 22

It can create a forecast of spending

Question 23

What is AWS Budgets?

Answer 23

Tool for planning cloud costs, track spending, create alerts

Question 24

What are the 4 budget types?

Answer 24

1. Cost budgets
2. usage budgets
3. reservation budgets - underutilizing RI’s?
4. savings plan budgets? - is what we doing covered by savings plan?

Question 25

What can you do with AWS Budgets once an alert is triggered?

Answer 25

You can have AWS Budgets take an action as a result of an alert when spend approaches a threshold.

Question 26

What is AWS Inspector?

Answer 26

Managed tool for auditing best practices, and provides you recommendations for 5 areas

Question 27

What are the 5 areas that AWS Trusted Advisor looks at?

Answer 27

1. Cost optimization
2. Fault Tolerance
3. Performance
4. Security
5. Service Limits

Question 28

What should you setup with AWS Trusted Advisor?

Answer 28

You should setup alerts to let someone know something is wrong like SNS

Question 29

Does AWS Trusted Advisor fix problems for you?

Answer 29

No it does not, you will need to setup EventBridge with Lambda to do that

Question 30

WHat is the cost of Trusted Advisor?

Answer 30

It is free, but more useful checks require a support plan