Organizations Flashcards

1
Q

Structure and Accounts

Best Practice for security in Orgs?

A

Create all IAM Users in one acct with no other resources. Assume roles into other accts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Structure and Accounts

So what’s the OU at the top of the tree?

A

Trick question. Technically, none. The “Organization Root” is the top container. OUs are below this.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Structure and Accounts

Best practice: what should you create in the Management account?

A

Nothing – it’s too powerful and can affect the whole tree.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Roles and Users

Best practice for users in an Org?

A

Federate from on-prem to one acct, that acct has users/roles, xacct roles to all other accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

SCPs

What’s a Service Control Policy?

A

Policy on an OU or acct. Limits everything in that OU or acct.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

SCPs

Where else are SCPs?

A

Nowhere. This is a feature of Organizations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

SCPs

Where can you attach SCPs?

A

Entire Org, one OU (and subtree), one account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

SCPs

What do SCPs apply to?

A

The account they attached to, all accounts in the OU, never the Management account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

SCPs

Can an SCP restrict a root user in an AWS account.

A

YES. SCPs control what the /account/ can do. All identities including root user are under this.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

SCPs

SCP grants a permission, Session and identity don’t deny it. What happens?

A

Trick! SCPs don’t grant anything, they set the boundary of what is allowed to be granted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

SCPs

Can SCPs at multiple levels of the OU tree exist?

A

Yes: inherit DOWN the tree.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

SCPs

Why generally don’t we create resources in the Management account?

A

It can’t be controlled by SCPs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

SCPs

Example of SCPs?

A

Can’t deploy in any region other then us-east-1; allowlist only certain EC2 instance types.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

SCPs

What is the default SCP before you add anything of your own?

A

Full access to everything. (not granting anything, just setting the limits to “no limits”).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

SCPs

How do you create a SCP to only allow us-east-1?

A

Default is allow all, so create a deny for all regions other than us-east-1.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

SCPs

How do you use SCPs to set up an Allowlist structure?

A

Delete the default FullAWSAccess SCP, resulting in “Implicit Deny”. Add specific SCPs to allow.

17
Q

SCPs

How do you set up DenyList structure in SCPs?

A

Remove the default FullAWSAccess leaving “implicit deny” in place

18
Q

SCPs

Which is lower admin overhead: allowlist or denylist?

A

Denylist: as new services are added to AWS, they are allowed by default.

19
Q

SCPs

Can an account view the SCPs applied to it?

A

Yup!