IAM, Accounts and AWS Organizations Flashcards

1
Q

IAM Identity Policies

A

Are a type of policies which get attached to identities inside AWS.

-Is a set of security statements to AWS.
- It grants access or denies access to AWS products or features to any identity which uses that policy.
- Created using JSON.
- Policies can have multiple statements.

When an identity attempts to access AWS resources, that identity needs to prove who it is to AWS. Once authenticated, that identity is known as an authenticated identity.

-AWS knows which policies an identity has.
- AWS has a collection of all of the statements which apply to a given identity.
-AWS knows which resources, you’re attempting to interact with, as well as what actions you want to perform.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What makes up a Statement?

A
  1. The first part of a statement is a statement ID, or a SID (optional field), which lets you identify a statement and what it does.

Every interaction that you have with AWS, is a combination of two main things, the resource that you’re interacting with, and the actions that you’re attempting to perform.

A statement only applies, if the interaction match the action and the resource.

  1. Action describes the specific action or actions that will be allowed or denied. Each AWS service has its own set of actions that describe tasks that you can perform with that service.

Single action ====> “Action”: “iam:ChangePassword”
Multiple actions ====> “Action”: [ “sqs:SendMessage”, “sqs:ReceiveMessage”, “ec2:StartInstances”]

You can use a wildcard (*) to give access to all the actions the specific AWS product offers. For example, the following Action element applies to all S3 actions.

“Action”: “s3:*”

You can also use wildcards (*) as part of the action name. For example, the following Action element applies to all IAM actions that include the string AccessKey, including CreateAccessKey, DeleteAccessKey, ListAccessKeys, and UpdateAccessKey.

“Action”: “iam:AccessKey

  1. Resource specifies the object or objects that the statement covers. You specify a resource using an ARN. Each service has its own set of resources. Although you always use an ARN to specify a resource, the details of the ARN for a resource depend on the service and the resource.

“Resource”: “arn:aws:sqs:us-east-2:account-ID-without-hyphens:queue1”
“Resource”: “arn:aws:iam::account-ID-without-hyphens:user/Bob”

  1. Effect is to either allow or deny. Effects controls what AWS does if the action and the resource parts of the statement match the operation that you’re attempting to do with AWS.

“Effect”:”Allow”

Overlap Situation

If there are multiple statements which apply to an operation in AWS, then all of the statements are processed.

RULES

1st Priority - Explicit DENY = It overrules everything else
2nd Priority - Explicit ALLOW = These take effect unless, there is also an explicit deny.
3rd Priority - Default DENY = If neither of those apply, so you’re attempting to do something for which you have no explicit allow or deny, then the default implicit deny takes effect.

With the exception of the Account Root User, AWS identifies start off with NO ACCESS to any AWS resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Multiple Policies

A

When a given identity accesses a resource, it collects all of the statements in ALL of the policies which apply. So the users directly, the groups the users are in, and any resource policies on the resources that they’re attempting to access, it collects all of these together and evaluates them ALL at the same time.

Same rule applies, DENY, ALLOW OR DEFAULT DENY.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Type of Policies

A

There are two main types of policies, they are both JSON policies but the difference is how they’re managed.

  • Inline Policies = Apply the policy to each account/user individually, but changing the access rights would mean changing it, on each and every one of them.

–This is used for exceptions to the normal access rights, so special circumstances.

  • Managed Policies = Are created as their own object. First, you’d create the managed policy which is just a piece of JSON with some statements in, and then you would attach that policy to any identities, who you wanted to gain those access rights.

– Reusable
– Low Management Overhead

There are two main types of managed policies:

–AWS managed policies = Which are created and managed by AWS.
–Customer managed policies = Which you can create and manage so you can define them as per the exact requirements of your business.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

IAM Users and ARNs

A

IAM Users are an identity used for anything requiring long-term AWS access e.g. Humans, Applications or service accounts.

IAM Principal

Which represents an entity trying to access an AWS account. Principals can be individual people, computers, services or a group.

For a principal to be able to do anything, it needs to authenticate and be authorized.

  • When a principal makes a requests to IAM to interact with Resources, to be able to interact with resources, it needs to authenticate against an identity within IAM.

Authentication is a process where the principal proves to IAM that it is an identity that it claims to be. This is done by either using:

-Username and Password = Human accessing AWS and via the console UI.
- Access Keys = Application or a human accessing through the AWS CLI

These are both examples of long-term credentials.

  • Once the principal becomes an authenticated identity, then AWS knows which policies apply to the identity. This is the process of authorization.

Authorization is IAM checking the statements that apply to that identity and either allowing or denying that access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Amazon Resource Name (ARN)

A

Uniquely identity resources within any AWS accounts.

-ARN’s allow you to refer to a single resource, if needed, or in some cases, a group of resources using wild cards.
-ARNs are collections of fields split by a colon.
-ARN’s are used in IAM policies.

arn:aws:s3:::catgifs ====> refers to the bucket itself.
arn:aws:s3:::catgifs/* ====> refers to the objects in the bucket but not the bucket.

“*” is a wild card that matches any keys.
“::” when something doesn’t need to be specified.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

EXAM POWER UP

A
  • 5000 IAM Users per account.
  • IAM User can be a member of 10 groups.
  • This has systems design impact…
  • Limit for Internet-scale applications
  • Limit Large orgs & orgs merges
  • We can fix this by using IAM Roles & Identity Federation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

IAM Groups

A

Are containers for IAM Users. They exist to make organizing and management of large sets of IAM users easier.

  • Have no credentials of their own.
  • You can not login into a group.
    -No Nesting. (Groups within groups)
    -Limit of 300 groups per account (can be increased)

Groups give us to main benefits:

-They allow effective administration-style management of users
-Groups can have policies attached to them (Inline or Managed)
-There’s no limit for the number of users in a single IAM group.

If an IAM User has multiple policies attached to it or associated with, AWS will merge all of those into a set of permissions and apply the deny-allow-deny rule to them.

There isn’t a built-in all-users group inside IAM, so you don’t have a single group that contains all of the members of that account.

Policies can be attached to resources, these are known as resource policies, they can reference identities. It controls access to an specific resource and it allows or denies identities to access, for example, a bucket. It does this by referencing these identities using an ARN. (Users and Roles can be referenced in this way)

-Groups are not a true identity. They can’t be referenced as a principal in a policy. A resource policy cannot grant access to an IAM group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

IAM Roles

A

A role is an identity and is generally used by an unknown number or multiple principals, not just one.

This might be multiple AWS users inside the same AWS account, or it could be humans, applications, or services, inside or outside of your AWS account.

-If you can’t identify the number of principals, which use an identity, then it could be a candidate for an IAM role.
-Generally used on a TEMPORARY basis. (something becomes that role for a short period of time and then stops)
-A role is something which represents a level of access inside an AWS account.

What’s the difference between logging into a user and assuming a role?

In both cases, you get the access rights that the identity has.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

IAM roles have two types of policies which can be attached:

A
  • Trust Policy = Controls which identities can assume that role. It can reference identities in the same account, so other IAM users, other roles, and even AWS services such as EC2, or identities in other AWS accounts. It can even allow anonymous usage of that role and other types of identities such as Facebook, Twitter, and Google.

If a role gets assumed by something which is allowed to assume it, then AWS generates temporary security credentials (AWS STS) and these are made available to the identity which assumed the role.

-They’re time-limited, once they expire, the identity will need to renew them by reassuming the role.

These temporary credentials will be able to access whatever AWS resources are specified within the permission’s policy. Everytime the security credentials are used the access is checked against this permissions policy. If you change the permissions policy, the permissions of those temporary credentials also change.

-Roles can be referenced within Resource Policies. so if a role can access an S3 bucket because a resource policy allows it or because the role permissions policy allows it, then anything which successfully assumes the role can also access the resource.
-Roles are used within AWS Organizations, to allow us to login to one account in the organization and access different accounts without having to login again.

  • Permissions Policy = Control what permissions the identity gets inside AWS. (Inline or Managed)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

When to use IAM Roles

A

*AWS services operate on your behalf and they need access rights to perform certain actions.

Anything that’s not an AWS identity, this might be an application or a script running on a piece of compute hardware somewhere, that you need to give it permissions on AWS using access keys.

Instead of doing that we’re just giving it a IAM role.

*Emergency or out of the usual situations

A person can assume an emergency role when absolutely required. When he does, he’ll gain additional permissions based on the role’s permission policy. Now this access will be logged and the person will know to only use the role under exceptional circumstances.

*When you’re adding AWS into an existing corporate environment.

Remember there’s the 5000 IAM user limit, so for a corporate, with more than 5000 staff, you can’t offer each of them an IAM user. Roles are often used when you want to reuse your existing identities for use within AWS. Why?, because external accounts can’t be used directly to access AWS resources.

How this work, is that you allow an IAM role inside your AWS account to be assumed by one of the external identities, which is in Active Directory (Example). When the role is assumed, security credentials are generated and used to access the resources.

Using a role in this way, so giving permissions to an external identity provider and allowing external identities to assume this role, is called ID Federation.

*If you’re designing the architecture for a popular mobile application.

Ride Sharing App - with 1.000.000 of users

The application needs to store and retrieve data from a database product in AWS, such as DynamoDB.

Since there’s a limit of IAM users, we can fix this with a process called Web Identity Federation, which uses IAM role. Most mobile applications, allow you to sign in using a web identity (Google, Twitter, Facebook), if you utilize this architecture for our web application, we can trust these identities and we can allow these identities to assume an IAM role. (Based on the role’s Trust Policy)

This has many advantages:

–No AWS credentials stored in the application = From a security point of view, if the application is exploited, there’s no change credentials being leaked and it uses an IAM role, which you can directly control from your AWS account.

–Uses existing customer logins = So they don’t need yet another account

–It can scale to 100.000.000’s of accounts

*Cross-account access. (AWS Organizations)

Two AWS accounts, yours and a partner account.

Let’s say your partner organization offers an application which processes scientific data and they want you to store any data inside an S3 bucket, that’s in their account.

Your account has 1000’s of identities and the partner IT team don’t want to create IAM users, in their account for all of your staff. The best approach is to use a role in the partner account, your users can assume that role, get temporary security credentials and use those to upload objects.

–You can use orles to give access to a whole account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Service-Linked Roles

A

Service-Linked role is an IAM role linked to a specific service.

-They provide a set of permissions which is predefines by a service
-Provide permissions that a single AWS service needs to interact with other AWS service on your behalf.
-Service-Linked roles might be created by the service itself or the service might allow you to create the role during the setup process of that service or within IAM.
-You must configure permissions for an IAM entity (user or role) to allow the user or role to create or edit the service-linked role.

The key difference between service-linked roles and normal roles:

  • Is that you can’t delete a service-linked role, until it’s no longer required. (Means that is no longer used within that AWS service)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Service Roles vs Service-Linked Roles

A

Remember that service roles are different than service-linked roles. A service role is an IAM role that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM.

A service-linked role is a type of service role that is linked to an AWS service. The service can assume the role to perform an action on your behalf. Service-linked roles appear in your IAM account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Role Separation & PassRole

A

*Role Separation is where you might give one group of people the ability to create roles and another group of people the ability to use them.

So in this case, we might want ot give “Bob”, the ability to use a service-linked role with an AWS service. So being able to take a service-linked role and assign it to a service, and if you wanted to give “Bob” the ability to use a preexisting role with a service but not create that role or edit it, then you need to provide “Bob”, with the PassRole permissions.

*PassRole

Is a method inside AWS which gives you the ability to implement role separation, and it’s something which you can also use with service-linked roles.

-The ability to pass an existing role into a service. It means that “Bob” could configure a service with a role which is already being created by a member of the security team. He would just need the “ListRole” and “PassRole” permissions on that specific role.

-Some AWS services allow you to pass an existing role to the service, instead of creating a new service-linked role. To do this, a user must have permissions to pass the role to the service.

ListRoles = allows the entity to view a list of roles from which they can choose the role to pass.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

AWS Organizations

A

Is a product which allows larger business to manage multiple AWS accounts in a cost-effective way.

-Without AWS Organizations, many large businesses would face a situation where they need to manage many AWS accounts. Without it, these accounts would each have their own pool of IAM users as well as separate payment methods.

A standard AWS account = Not within an organization.

With an standard AWS account you create an AWS Organization, the organization isn’t created IN the account, you’re just using the account to create the organization. This standard AWS account then becomes the Management Account for the organization (Previously Master).

*You can invite other existing standard AWS accounts into the organization, and they’ll need to aprove the invite.

When Standard AWS accounts join the organization then they change from being Standard to beign Member accounts of that organization.

*You can create a structure of AWS accounts within an organization.

This is useful if you have lots of accounts and you need to group them by things such as business units, function, or even development stage of an application.

The structure within AWS Organizations is hierarchical, so it’s an inverted tree, at the top of this tree is the root container of the organization.

Root container = A container within an AWS Organization, which can contain AWS accounts, and this means Member accounts or the Management account. It can also contain other containers, and these are known as organizational units (OUs), and these can contain AWS accounts or other OUs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Important features of AWS Organizations:

A

*Consolidated Billing

A single monthly bill of all of the accounts within AWS Organization.

Payer Account = Is the AWS account which contains the payment method for the organization. (Management/Master)

*Consolidations of reservations and volume discounts

With AWS, certain services get cheaper the more usage you have, and for certain services you can pay in advance in exchange for cheaper rates.

When using Organizations these benefits are pooled, and so the organization can benefit as a whole for the spending of each of the AWS accounts within the organization.

*Service Control Policies (SCPs)

Lets you restrict what AWS accounts within the organization can do.

17
Q

Concepts of Organizations

A

*You can create new accounts directly within it.

All you need is a valid unique email address and AWS will handle the rest. Also will create a role which that account can be role switches into, by other accounts within the organization. If your inviting another account, you’ll have to do it manually.

*With Organizations, you don’t need to have IAM Users inside every single AWS account.

Instead, IAM Roles can be used to allow IAM Users to access other AWS accounts.

A best practice is that you have a single account which is used to log into. Larger enterprises will often keep the Management Account of the organization clean and have a separate account dedicated to handle logins, they might also have their own existing identity system, and they might want to use those existing identities and use Identity Federation to access this single identity account.

So you can either have your own internal AWS identities using IAM you can configure AWS to allow Identity Federation, so your on-premises identities can be used to access this designated login account. From then, we can use these accounts and use a feature called “Role Switch” and we can role switch from this account into other Member accounts of the organization. (Behind the scene, this actually assumes roles in these other AWS account)

18
Q

Service Control Policies (SCPs)

A

SCPs are a feture of AWS Organizations which can be used to restrict AWS accounts.

It’s a policy document, so a JSON document, and these service control policies can be attached to the organization as a whole by attaching them to the root container, or they can be attached to one or more organizational units (OUs). Lastly, they can even be attached to individual AWS accounts.

SCPs inherit down the organizational tree, so this means, if they’re attached to the organization as a whole, so the root container of the organization, then they affect all of the accounts inside the organization. If they’re attached to an OU, then they impact all accounts directly inside that OU.

If you attach them directly to an account, they just affect that account.

*The Management Account it’s unaffected by any SCPs

The management account is special because even if the management account has service control policies attached, either directly via an OU, or on the root container of the organization itself, then the account is NEVER affected by SCPs.

As a security practice, because the management account can’t be restricted using service control policies, then generally in production, AVOID using the account for any AWS resources.

*SCP’s are account permission boundaries

They limit what the AWS account can do, including the account root user, within that account.

The Account Root User always has full permissions over that entire AWS account, but with a SCP, you’re actually restricting what the account itself can do, specifically any identities within that account. It will always have a 100% access to the account, but if you restrict the account, then in effect, you’re also restricting the Account Root User.

-You might apply a SCP to prevent any usage of that account outside a known region.
-You might apply a SCP to only allow a certain size of EC2 instance to be used within the account.

*They don’t grant any permissions

SCPs are just a boundary, they define the limit of what is and isn’t allowed, within the account, but they don’t grant permissions.

You still need to give identities within that AWS account, permissions to AWS resources, but any SCPs will limit the permissions.

19
Q

You can use SCPs in two ways:

A
  • Allow List = You can block by default, and allow certain services.

To implement allow lists, it’s a two-part architecture:

  • Remove the AWS full access policy = only the impicit default deny, is in place and active.
  • Then you would need to add any services which you want to allow into a new policy.

More secure, because you would have to explicitly say which services can be allowed access for users in those accounts, but it’s also much more admin overhead.

  • Deny List = You can allow by default, and block access to certain services. (Default)

When you enable SCPs on your organization, AWS apply a default policy, which is called full AWS access, and this is applied to the organization and all OUs within that organization. This policy means that in the default implementation, SCPs have no effect, since nothing is restricted.

  • SCPs don’t grant permissions, but when SCPs are enabled, there is an implicit default deny, just like IAM policies.
  • SCP establish which permissions can be granted in an account.

*Only permissions which are allowed within identity policies in the account and are allowed by a service control policy (SCP), are actually active.

20
Q

CloudWatch Logs

A

Is a Public Service, the endpoint which applications connect to, is hosted in the AWS Public Zone, which means you can use the product within AWS VPCs, on-premises environments or even other cloud environments (assuming you have network connectivity as well as AWS permissions).

  • Allows you to store, monitor and access logging data.

Logging data is a piece of information data, and a timestamp (year-month-day-hour-minute-second-timezone)

-Built in integrations with many AWS services: EC2, VPC Flow Logs, Lambda, CloudTrail, R53 and more.

Any service which integrate with CloudWatch Logs can store data directly inside the product and the security for this, is generally provided by using IAM roles or service roles.

-For anything outside AWS or for logging custom application or OS logs on EC2 for example, you can use the unified CloudWatch agent.

-Capable of taking logging data and generating a metric from it ~ known as metric filter.

21
Q

CloudWatch Architecture

A

-It’s a regional service

Logging sources = AWS products and services, mobile or server-based applications, external compute services, so virtual or physical servers, databases, or even external API’s.

These sources inject data into CloudWatch Logs as “Logs Events”.

-Log Events have a timestamp and a message block
-CloudWatch Logs treats this message as a raw block of data.

Logs Events are stored inside “Log Streams”

Log Streams = A sequence of log events from the same source

-Each Log Stream represent VAR log messages from one source.
-Each Log Stream is an ordered set of Log Events for a specific source for a specific thing.

Log Groups = Are containers for multiple Log Streams, for the same type of logging.

-We would have one Log Group, containing everything for VAR log messages.

-Inside this Log Group would be lots of different Log Streams and each Log Stream woud represent one source.

-Log Groups is also the place that stores configurations settings, so it’s on the log group where we define things like retention settings and permissions. When we define these settings on a Log Group, they obviously apply to all Log Streams inside that Log Group.

-Also where metric filters are defined. These metric filters are constantly reviewing any Log Event for any Log Streams in that Log Group, looking for certain patterns, maybe an application error code, or a failed SSH login. When detected, these metric filters increment a metric, and metrics can have associated alarms, and these alarms can be used to either notify administrators or to integrate with AWS or external system to take action.

22
Q

CloudTrail Essentials

A

Is a product which logs API actions which affect AWS accounts.

If you stop an instance, if you change a security group, if you create or delete an S3 bucket, that’s logged by CloudTrail. Almost everthing which can be done to an AWS account is logged by this product.

-It’s a regional service.

-Logs API calls/activities as a CloudTrail Event.

CloudTrail Event = Is a record of an activity in an AWS account, this activity can be an action taken by a user, a role or a service.

-By default, stores the last 90 days of CloudTrail Events in the CloudTrail Event History.

-Enabled by default - no cost for 90 days history,

-To customize CloudTrail beyond the 90-days Event History, you need to create a trail.

23
Q

CloudTrail Event can be 1 of 3 different types:

A

-Management Events = Provide information about management operations that are performed on resources in your AWS accounts. These are known as control plane operators, for example, creating or terminating a EC2 instance, creating a VPC.

-Data Events = Contain information about resource operations performed on or in a resource, for example, objects being uploaded to S3 or object being accessed from S3, or when a Lambda function is being invoked.

–By default CloudTrail only logs Management Events, because Data Events are often higher volume.

-Insight Events = Identify unusual activity, errors, or user behavior in your account.

24
Q

CloudTrail Trail

A

Is the unit of configuration within the CloudTrail product. It’s a way you provide configutaion to CloudTrail on how to operate.

-A trail logs events for the AWS Region that’s it’s created in.

When you create a trail, it can be configured to operate in one of two ways:

-You can create a trail which is a one-region trail, or can be set to all regions.

–A single-region trail is only ever in the region that’s it’s created in, and it only logs events for that region.
– An all-region trail, you can think of as a collection of trails in every AWS region, but it’s managed as one logical trail.
–Most services log events on the region that they were created.

A small number of services log events globally to one region, so global services such as IAM, STS or CloudFront, these services are very globally-focused services, and they always log their events to US East-1.

Now, these type of events are called “global service events” and a trail needs to have this enabled in order to log these events.

-This feature is normally enabled by default, if you create a trail inside the user interface.

AWS are largely split up into “Regional Services” and “Global Services”, so when these types of services log to CloudTrail, they either log in the region that the event is generated in, or they log to US East-1.

-Once you’ve got a trail created, Management Events and Data Events (if you enable it, not enabled by default) are all captured by the trail.

-A trail by default can store the events in a defineable S3 bucket, and the logs which are generated and stored in an S3 bucket, can be stored there indefinitely. (Only charged for the storage that’s used in S3)

These logs are stored as a set of compressed JSON log files, so they consume hardly any space, but since they’re JSON formatted, they are able to be passed by any tooling capable of reading these standard format files.

-Can be integrated with CloudWatch Logs and the data can be stored into that product.

Once it’s in CloudWatch Logs, you can use that product to search through it, or using a metric filter to take advantage of the data that’s put into.

-You can now create an organizational trail.

This means if you create this trail, from the management account of an organization, it can store all of the information for all the accounts inside that organization. So, it’s a single management point for all API and account events across every account.

25
Q

Important elements of CloudTrail

A

-Enabled by default on AWS accounts, but only for 90-days event history and no S3, unless you configure a trail.

-Trails are how you you can take the data that CloudTrail’s got access to, and store it in better places, such as S3 and CWLogs.

-Stores Management Events only by default

-Data Events need to be specifically enabled and they come at an extra cost.

-IAM, STS, CloudFront => They log their data as “Global Service Events”, which gets logged to US-East1, and a trail will need to be enabled to capture that data.

-NOT REALTIME LOGGING ~ There is a delay, it delivers logs within 15 minutes of the account activity occurring.

26
Q

AWS Control Tower

A

-Allow for a quick and easy setup of multi-account evironments

-Orchestrates other AWS services to provide this functionality.

-Uses Organizations, IAM Identity Center, CloudFormation, Config and more…

You can think of Control Tower as another evolution of AWS Organizations, adding significantly more features, intelligence, and automation.

-Landing Zone - multi-account environment part of Control Tower.

This is what most people will be interacting with when they think of Control Tower.

-It provides via other AWS services, Single-Sign-on (SSO)/ID Federation, Centralised Logging & Auditing (uses a combination of CloudWatch, CloudTrail, AWS Config and SNS).

-Guard Rails - Detect/Mandate rules/standards across all accounts within the Landing Zone.

-Account Factory - Automates and Standardises new account creation.

-Dashboard - offers a single page oversight of the entire environment.

27
Q

Control Tower Architecture

A

-Control Tower is something you create from within an AWS account, and this account becomes the management account at the Landing Zone.

Within the management account, we have Control Tower itself, which orchestrates everything. We have AWS Organizations, which provides the multi-account structure, so organizational units and service control policies. Then we have Single Sign-On provided by the IAM Identity Center, historically known as AWS SSO, which means we can use the same set of internal or federated identities to access everything in the Landing Zone that we have permissions to.

When Control Tower is first set up, it creates two organizational units:

-Foundational OU (By default called “Security”)

Within this OU, Control Tower creates two AWS accounts:

–The Audit Account = Is for users which need access to the audit information made available by Control Tower. You can also use this account as a location for any third-party tools to perform auditing of your environment. (SNS & CloudWatch)

–The Log Archive Account = Is for users that need access to all logging information for all of your enrolled accounts within the Landing Zone (AWS Config & CloudTrail Logs). You have to explicitly grant access to this account, and it offers a secure, read-only Archive account for logging.

-Custom OU (By default called “Sandbox”)

It’s at this point where Control Tower, brings the concept of an Account Factory. Think of this as a team of robots who are creating, modifying, or deleting AWS accounts as your business needs them. This could be interacted from the Control Tower console or via the Service Catalog.

Within this OU, Account Factory will create AWS accounts in a fully automated way as many of them as you need. The configuration of these accounts is handled by Account Factory. So, from an account and networking perspective, you have a baseline configurations applied, and this ensures a consistent configuration across all AWS accounts within your Landing Zone.

Control Tower utilizes CloudFormation, under the covers, to implement much of this automation, so expect to see stacks created by the product within your environment.

Also uses both AWS Config and Service Control Policies (SCP), to implement account Guardrails, and these detect drifts away from governance standards, or prevent those drifts occurring in the first place.

28
Q

Landing Zone

A

-Allow anyone to implement Well Architected multi-account environment - Home Region.

Home Region is the region that you initially deploy the product into. You can explicitly allow or deny the usage of other AWS regions, but the home region, is always available.

-Is built using AWS Organizations, AWS Config, CloudFormation and much more.

-Security OU - Log Archive & Audit Accounts (CloudTrail & Config Logs).

-Sandbox OU - Test/less rigid security.

-You can create other OU’s and Accounts.

-Utilizes the IAM Identity Center (AWS SSO) - To provide SSO, multiple-accounts, ID Federation, which means that you can use your existing identity stores to access all of these different AWS accounts.

-Provides monitoring and notifications - CloudWatch & SNS

-Allow End User account provisioning within the Landing Zone using Service Catalog.

29
Q

GuardRails

A

-GuardRails are rules - multi-account governance

GuardRails come in three different types:

-Mandatory (always applied), Strongly Recommended (by AWS) or Elective, which can be used to implement fairly niche requirements,

GuardRails function in two different ways:

-Preventative - Stop you doing things within you AWS accounts in your Landing Zone, implemented using Service Control Policies (AWS ORG SCP).

This type of GuardRails are either enforced or not enabled, and if they’re enforced, it means that any actions defined by that guardrail are prevented from occurring within any of your AWS accounts. For example, to allow or deny usage of AWS regions, or to disallow bucket policy changes, within inside your Landing Zone.

-Detective - compliance checks, this uses AWS Config Rules and allows you to check that the configuration of a given thing within an AWS account matches what you define as best practice.

This type of GuardRails are either clear, in violation or not enabled. For example, a detective guardrail to detect whether CloudTrail is enabled within a AWS account or whether any EC2 instances have public IPv4 addresses associated with those instances.

Preventative Guardrails will stop things occurring and Detective Guardrails will only identity those things.

30
Q

Account Factory

A

-Allows automated account provisioning, and this can be done by either, cloud admins or end users (with appropiate permissions).

-Includes the application of Guardrails.

-Account admin given to a named user (IAM Identity Center)

Because these accounts can be provisioned by end users (members of your organization), then either these members or anyone that you define can be given admin permissions on an AWS account which is automatically provisioned.

So you can allow any member of your organization, within tightly controlled parameters to be able to provision accounts for any purpose, which you define OK, and that person will be given admin rights over that AWS account.

-Account & network standard configuration. For example, the IP addressing used by VPCs, within the accounts which could be automatically configured to avoid things like addressing overlap.

-Allows accounts to be closed or repurposed, and this process can be tightly integrated, with a businesses SDLC or Software Development Life Cycle.