Governance Flashcards
Service is a free governance tool that allows you to create and manage multiple AWS accounts
AWS Organizations
Service allows you to control your accounts from a single location instead of having to jump from account to account
AWS Organizations
Account within AWS Organizations is also called the payer account. Is the primary account that hosts and manages the organization
Management Account
Can there be more than one Management account within AWS Organizations
No
Accounts within AWS Organizations that belong to everyone in the organization such as test, dev accounts
Member Account
Feature in AWS Organizations that rolls all bills up to the payer account. Simplifies that process by having a single payment method
Consolidated Billing
Feature in AWS Organizations that allows for aggregate discounts
Usage Discounts
Can you easily share reserved instances and savings plans across the organizations in AWS Organizations
Yes
Service allows you to easily achieve a multi-account design while maintaining centralized management
AWS Organizations
Logical grouping of multiple accounts to allow for easy management and separation within AWS Organizations
Organizational Unit (OU)
Policies within AWS Organizations that get applied to OUs or accounts to restrict actions
Service Control Policies (SCP)
Free service that allows you to share AWS resources with other accounts inside or outside your organization
Resource Access Manager (RAM)
Free service that allows you to easily share resources rather than having to create duplicate copies in your different accounts
Resource Access Manager (RAM)
Gives you the ability to set up temporary access you can easily control. Has temporary credentials that can be revoked as needed
Cross-account role access
Service is an inventory management and control tool that shows the configuration history of your infrastructure over time. Monitoring and assessment tool. Track AWS architecture and check for best practice violations
AWS Config
Service offers the ability to create rules to make sure resources conform to your requirements. Monitoring and assessment tool. Track AWS architecture and check for best practice violations
AWS Config
Can Config receive alerts via SNS?
Yes
Can AWS Config be configured cross-region?
No
Does AWS Config have to be configured per region?
Yes
Can the results of Config be aggregated across Regions and AWS Accounts?
Yes
Service that is used to gain a view of your infrastructure’s overall compliance at an entire organizational level. Track AWS architecture and check for best practice violations
AWS Config
Represent your ideal configuration settings in AWS Config. AWS-managed and custom. Evaluated by a schedule or trigger
Rules
Is AWS Config free?
No
Does AWS Config offer automatic remediation of non-compliant configurations?
Yes
AWS Config feature used for automatic remediation. Can be aws-managed or custom
SSM Automation Documents
Automation Documents that can leverage Lambda functions for custom logic
Custom
Can you enable a retry if auto-remediation fails in AWS Config
Yes
Can EventBridge send events from AWS Config to other AWS services like SQS and Lambda?
Yes
Service is a fully managed version of Active Directory. Allows you to offload the painful parts of keeping AD online and run AD inside of AWS
AWS Directory Service
Type of Directory Service that allows you to easily build out AD in AWS. Entire AD suit
Managed Microsoft AD
Type of Directory Service that creates a tunnel between AWS and your on-premises AD
AD Connector
Type of Directory Service that is a simple authentication service
Simple AD
Service is an easy-to-use tool that allows you to visualize and analyze your cloud costs
Cost Explorer
Can you generate custom reports based on resource tags in Cost Explorer
Yes
Service that allows organizations to easily plan and set expectations around cloud costs
AWS Budgets
Service that can create alerts to let users know when they’re close to exceeding their allotted spend
AWS Budgets
Service is the most comprehensive set of cost and usage data available for AWS spending
AWS Cost and Usage Reports (CUR)
Can AWS CUR publish billing reports to EC2?
No
Can AWS CUR publish billing reports to S3?
Yes
Do AWS CUR reports immediately update?
No, once a day
Service easily integrates with Athena, Redshift, or Quicksight to develop cost and usage billing reports
AWS Cost and Usage Reports (CUR)
Service used to monitor On-Demand capacity reservations
AWS Cost and Usage Reports (CUR)
Service used to track Savings Plans utilizations, charges, and allocations
AWS Cost and Usage Reports (CUR)
Service used to break down your AWS data transfer charges
AWS Cost and Usage Reports (CUR)
Service that analyzes configurations and utilization metrics of your AWS resources
AWS Compute Optimizer
Service that reports current usage optimizations and potential recommendations
AWS Compute Optimizer
Service that provides a graphical history data and projected utilization metrics
AWS Compute Optimizer
Service that works with EC2, ASGs, EBS, Lambda that analyzes configuration and utilization metics of your AWS resources
AWS Compute Optimizer
Is AWS Compute Optimizer enabled by default
No
Pricing model that offers flexible pricing for up to 72% savings on compute
Savings Plans
Pricing model that offers lower prices for EC2 instances regardless of instance family, size, os, tenancy, or regions
Savings Plans
Can the pricing model Savings Plans apply to Lambda or Fargate usage?
Yes
Can the pricing model Savings Plans apply to Sagemaker for lowering instance pricing?
Yes
Pricing model provides savings for long-term commitments in one-year or three-year pricing options. All upfront, Partial upfront, or No upfront.
Savings Plans
Type of Saving Plans that applies to any EC2 compute, Lambda, or Fargate usage. Up to 66% savings on compute
Compute Savings
Type of Savings Plans that applies only to EC2 instances of a specific instance family in specific regions. Offers 72% savings
EC2 Instance Savings
Type of Savings Plans that apply to SageMaker instances regardless of instance family or sizing. Up to 64% savings
SageMaker savings
Service is an easy way to set up and govern an AWS multi-account environment by automating account creation and security controls via other AWS services
AWS Control Tower
Service extends AWS Organizations to prevent governance drift and leverages different guardrails
AWS Control Tower
Service where users can provision new AWS accounts quickly using central admin-established compliance policies
AWS Control Tower
Service is the quickest way to create and manage a secure, compliant, multi-account environment based on best practices
AWS Control Tower
Feature of AWS Control tower that are high-level rules in plain language providing ongoing governance
Guardrails
Type of rules in Guardrails that ensure account maintain governance by disallowing violating actions
Preventive
Type of rules in Guardrails that detect and alert on non-compliant resources within all accounts from AWS Config
Detective
Shared accounts within the AWS Control Tower
Management, log archive, audit account
Service that simplifies managing software licenses with different vendors by centrally managing licenses across AWS accounts and on-premises environments
AWS License Manager
Service that provides visibility of resource performance and availability of AWS services or accounts. Provides visibility into service and resource health
AWS Health
Service that has near-instant delivery of notifications and alerts to speed up troubleshooting or prevention
AWS Health
Automate certain actions based on incoming events using
Amazon Eventbridge
Service is a fully managed best-practice auditing tool. It inspects your AWS environment and then makes recommendations when opportunities exist to save money.
AWS Trusted Advisor
Does AWS Trusted Advisor make recommendations based on the entire account?
Yes
One of the only ways to limit a root account
Service Control Policies (SCP)
Service used to simplify access management to multiple AWS accounts, AWS applications, and other SAML-enabled cloud applications.
AWS Identity Center
Service that allows organizations to create and centrally manage catalogs of approved IT services as CloudFormation templates
AWS Service Catalog
Service that creates and manages infrastructure (IaC) and deployment tooling for users as well as serverless and container-based applications
AWS Proton
Service is a tool for measuring current workload against established AWS best practices. Documents workload and architecture decisions
AWS Well-Architected Tool
