Management & Governance - AWS Organization Flashcards
Purpose
Central governance and management across AWS accounts
Use Case
you can consolidate multiple AWS accounts into an organization that you create and centrally manage. simplify billing by using a single payment method for all of your accounts.
Access
AWS Management Console; You can also use the AWS CLI (for command-line access) or SDKs to perform the same steps to create a new organization.
Availability
AWS Organizations is available in all AWS commercial regions, AWS GovCloud (US) regions, and China regions The service endpoints for AWS Organizations are located in US East (N. Virginia) for commercial organizations and AWS GovCloud (US-West) for AWS GovCloud (US) organizations, and AWS China (Ningxia) region, operated by NWCD.
Billing
The owner of the management account is responsible for paying for all usage, data, and resources used by the accounts in the organization.
Competition
AWS Control Tower, AWS Control Tower offers an abstracted, automated, and prescriptive experience on top of AWS Organizations. It automatically sets up AWS Organizations as the underlying AWS service to organize accounts and implements preventive guardrails using SCPs.
What is an organization
An organization is a collection of AWS accounts that you can organize into a hierarchy and manage centrally.
What is an OU?
An organizational unit (OU) is a group of AWS accounts within an organization. An OU can also contain other OUs enabling you to create a hierarchy.
What is a Service Control Policy?
are a type of organization policy that you can use to manage permissions in your organization. Service Control Policies (SCPs) allow you to control which AWS service actions are accessible to principals (account root, IAM users, and IAM roles) in the accounts of your organization. organization.
What does an SCP look like?
SCPs follow the same rules and grammar as IAM policies. { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":["EC2:*","S3:*"], "Resource":"*" } ] }
SCP recommendations?
AWS strongly recommends that you don’t attach SCPs to the root of your organization without thoroughly testing the impact that the policy has on accounts.