Organizations Flashcards
Structure and Accounts
Best Practice for security in Orgs?
Create all IAM Users in one acct with no other resources. Assume roles into other accts.
Structure and Accounts
So what’s the OU at the top of the tree?
Trick question. Technically, none. The “Organization Root” is the top container. OUs are below this.
Structure and Accounts
Best practice: what should you create in the Management account?
Nothing – it’s too powerful and can affect the whole tree.
Roles and Users
Best practice for users in an Org?
Federate from on-prem to one acct, that acct has users/roles, xacct roles to all other accounts
SCPs
What’s a Service Control Policy?
Policy on an OU or acct. Limits everything in that OU or acct.
SCPs
Where else are SCPs?
Nowhere. This is a feature of Organizations.
SCPs
Where can you attach SCPs?
Entire Org, one OU (and subtree), one account
SCPs
What do SCPs apply to?
The account they attached to, all accounts in the OU, never the Management account.
SCPs
Can an SCP restrict a root user in an AWS account.
YES. SCPs control what the /account/ can do. All identities including root user are under this.
SCPs
SCP grants a permission, Session and identity don’t deny it. What happens?
Trick! SCPs don’t grant anything, they set the boundary of what is allowed to be granted.
SCPs
Can SCPs at multiple levels of the OU tree exist?
Yes: inherit DOWN the tree.
SCPs
Why generally don’t we create resources in the Management account?
It can’t be controlled by SCPs.
SCPs
Example of SCPs?
Can’t deploy in any region other then us-east-1; allowlist only certain EC2 instance types.
SCPs
What is the default SCP before you add anything of your own?
Full access to everything. (not granting anything, just setting the limits to “no limits”).
SCPs
How do you create a SCP to only allow us-east-1?
Default is allow all, so create a deny for all regions other than us-east-1.
