Governance Flashcards
What is AWS Organizations?
Service for governance of multiple AWS Accounts
What are 5 main features of Organizations?
- Consolidated Billing
- Service Control Policies
- CloudTrail Logging Account
- Easily Create/Destroy AWS Accounts
- Share Reserved Instance Capacity across accounts
What is special about a SCP?
It has the final say when applied, even on a root account.
Will be applied to all resources in account
Can SCP give permissions?
No they do not give permissions (allows in SCP only give the potential to make calls), only takes them away
What should you do if you want to have centralized logs and ensure they can’t be edited or deleted?
Use Organizations to create a logging account, and a SCP attached to the account to restrict changes
What is a SCP?
A policy that ensure guardrails are adhered to in AWS accounts by limiting user permissions
What is Resource Access Manager?
Way to easily share resources between AWS Accounts in the same Organization or intra-Organization like sharing a VPC Subnet
What is Cross Account Role Access?
Enables temporary access between accounts to prevent needing duplicate IAM Accounts/users
What does Cross Account Role Access consist of?
Create a role that allows a trusted entity from an account id to assume, and attach policies to this role
What is AWS Config?
Inventory management and control tool. Can let you know what infastructure is in your account, rules to ensure they conform and auto remediate, see history of changes
What does AWS Config use to remediate?
It uses Automation Documents
When should you use AWS Config?
When the exam mentions using a standard that needs to be managed across accounts
Can you share the default VPC using Resource Access Manager?
No you cannot
What does Resource Access Manager consist of?
Share a resource like vpc subnet, with a particular aws account id, and specify the actions the principal can take on the shared resource
What are the 3 types of AWS Actiive Directory?
- Managed Microsoft AD
- AD Connector
- Simple AD
What is Managed Microsoft AD?
An entirely AWS managed AD, full featured in the Cloud
What is an AD Connector?
Tunnel between on-prem AD and AWS where you can leave your AD on-prem, but still authenticate using AD within AWS
What is Simple AD?
Linux Samba AD, standalone AD, not fully featured
What is AWS Cost explorer?
Tool that lets you visualize and see where your cloud costs are, build reports and can be done by e.g. resource tags
What are 3 types of reports Cost Explorer can give you?
- By time
- By service
- By filter e.g. tags or categories or region
What must you do for Cost Explorer to filter by tags?
You must opt in for each tag as a cost allocation tag in billing portal
What can Cost Explorer do other than report and visualize?
It can create a forecast of spending
What is AWS Budgets?
Tool for planning cloud costs, track spending, create alerts
What are the 4 budget types?
- Cost budgets
- usage budgets
- reservation budgets - underutilizing RI’s?
- savings plan budgets? - is what we doing covered by savings plan?
What can you do with AWS Budgets once an alert is triggered?
You can have AWS Budgets take an action as a result of an alert when spend approaches a threshold.
What is AWS Inspector?
Managed tool for auditing best practices, and provides you recommendations for 5 areas
What are the 5 areas that AWS Trusted Advisor looks at?
- Cost optimization
- Fault Tolerance
- Performance
- Security
- Service Limits
What should you setup with AWS Trusted Advisor?
You should setup alerts to let someone know something is wrong like SNS
Does AWS Trusted Advisor fix problems for you?
No it does not, you will need to setup EventBridge with Lambda to do that
WHat is the cost of Trusted Advisor?
It is free, but more useful checks require a support plan
