Section 18 - Account Management, Billing & Support Flashcards
With AWS Organizations, the main account is called the master account and all of the other accounts are called
Grogu accounts
Smaller accounts
Child accounts
Bastard stepchildren accounts
child accounts
All of the following are cost benefits of AWS Organization (choose three)
A - Aggregate costs (volume discounts offered for services for combined accounts)
B - Consolidated bill (one bill to cover the multiple accounts)
C - Annual discount (only charged for 10.5 months)
D - Reserved Instance resource can be shared amongst accounts (pooling of EC2 reserved instances for optimal savings)
E - Discount on RDS and Dynamo DB services
`A, B, & D
AWS Organizations can restrict account privileges usings:
Service Command Protocol (SCP)
Service Control Policy (SCP)
Service Planning Cannery (SPC)
Account Control (AC)
Service Control Policy
With AWS Organization, ___ is available to automate account creation:
API
Cheap labor
JSON scripting
Account Creation Tool (ACT)
API
AWS Organizations - two strategies for multiple accounts are (choose two)
One account with multiple VPCs
Rotating accounts
Slingshot account manuevers
Multiple accounts
one account with multiple VPCs
multiple accounts
AWS multi account strategy (choose two)
enable CloudTrail on just the main account and send logs to central S3 account
send CloudWatch logs to all accounts
send CloudWatch logs to central account
enable Cloudtrail on all accounts and send logs to the central S3 account
send CloudWatch logs to the central account
enable CloudTrail on all accounts and send logs to S3 on just the central account
True or False - When using AWS Organizations, you can nest OUs inside of other OUs
True
True or False:
Service Control Policies can be used to whitelist or blacklist IAM acionts
true
Service Control Policy (SCP) can be applied at the following levels (choose two)
Bottom
Account
OU
Top
Account, OU
Service Control Policy is applied to:
Only the root user
Only the non root users and some roles
all the Users and Roles (including Root)
all the kings horses and all the kings men
all the Users and Roles (including Root)
SCP (Service Control Protocol) (does/does not) affect service-linked roles
does not
Service-linked roles:
enable other AWS services to integrate with AWS Organizations
enable other AWS roles to integrate with bagels and butter
prevent other AWS services from integrating with AWS Organizations
are made of chain metal
enable other AWS services to integrate with AWS Organizations
SCP (Service Control Protocol) (does/does not) apply to the Master Account
does not
What is a typical use case for SCP (Service Control Protocol) - choose two
Enforce PCI compliance by explicitly disabling services
allow access to all services
restrict access to certain services (for example, can’t use EMR)
restrict access to accessing restrictions
enforce PCI compliance by explicitly disabling services
restrict access to certain services (for example, can’t use EMR)
with Service Control Policy, how many levels OU can be created
three
five
two
ten
five
Deny List
Allow List
A - Most restrictive. actions are prohibited by default, and you specify what services and actions are allowed
B - Default setting. which is actions are allowed by default, and you specify what services and actions are prohibited
Deny - B
Allow - A
Deny List
Allow List
A - Most restrictive. actions are prohibited by default, and you specify what services and actions are allowed
B - Default setting. which is actions are allowed by default, and you specify what services and actions are prohibited
Deny - B
Allow - A
Service Control Policies (SCP) apply
apply to internal users and roles and external users
apply to external users only
apply to external users and internal users named Fred
apply to internal users only, not to external users
apply to internal users only, not to external users
By default, AWS Organizations attaches an AWS managed policy called ____ to all roots, OUs, and accounts.
ManagedAll
FullAWSAccess
AWSAccess
ManagedAWSAccess
FullAWSAccess
The _______ deny is when the administrator has selected the Deny option for a permission for a user or group. This Deny takes precedence over all allowed settings
Example: If the administrator has set the Deny Read option on an object for a group, all members of that group are not able to read the object. If the administrator adds a user and gives them the Allow Read permission, if that user is a member of that group, they still are not able to read the object.
Implicit
Implied
Declined
Explicit
Explicit
An _____ deny is when a user or group are not granted a specific permission in the security settings of an object, but they are not explicitly denied either.
Granting permission to an object is done by the administrator adding the user or group to the object’s Access Control List (ACL) and selecting the Allow option for the Read, Modify or Delete permissions. If the administrator does not add the user or group to the object or doesn’t select the Allow or Deny options for any of the permissions, the user or group is ____ denied the permission to the object.
if you have the Management group with Read permission to a file but you want to allow one user in the Management group to Modify the file, you can add the individual user to the files permission and select the Allow option for the Modify permission. Using this method allows the individual user to modify the file even though the group they are in only has the Read permission. An _____ deny only denies a permission until the user or group is allowed to perform the permission.
Implicit
Implied
Declined
Explicit
implicit
Two benefits of Consolidated Billing (choose two)
combined usage (combine usage across all AWS accounts in AWS organization to share volume pricing, Reserved Instances, and Savings Plan discounts.
You get a 30% discount on the total bill
You get a 5% discount on the total bill
You get one bill for all AWS Accounts in the AWS Organization
combined usage (combine usage across all AWS accounts in AWS organization to share volume pricing, Reserved Instances, and Savings Plan discounts.
You get one bill for all AWS Accounts in the AWS Organization
True or False
The management account can turn off Reserved Instances discount sharing for any account in the AWS Organization, including itself.
True
An easy way to set up and govern a secure and compliant multi-account AWS environment based on best practices
AWS Multi
AWS Organizations
AWS Control Tower
AWS MultiAccount
AWS Control Tower
Just fyi - no question involved on this
AWS Control Tower benefits
- automate the set up of your environment in a few clicks
- automate ongoing policy management using guardrails
- detect policy violations and remediate them
- monitor compliance through an interactive dashboard
n/a
Lets you centrally manage your cloud resources to achieve governance at scale of your infrastructure as code (IaC) templates, written in CloudFormation or Terraform. With this service, you can meet your compliance requirements while making sure your customers can quickly deploy the cloud resources they need.
AWS Configure
AWS Monitor
AWS Service Catalog
AWS Guardrail
AWS Service Catalog
Four difference pricing models:
1 - Pay as you go
2 - Save when you reserve
3 - Pay less using more
4 - Pay less as AWS grows
A - volume based discounts
B - pay for what you use, remain agile, responsive, meet scale demands
C - minimize risks, predictably manage budgets, comply with long-term requirements
D - nothing to say here lol
1 - B
2 - C
3 - A
4 - D
Reservations are available for (no correlating question)
EC2 Reserved Instances
DynamoDB Reserved Capacity
ElastiCaste Reserved Nodes
RDS Reserved Instance
Redshift Reserved Nodes
n/a
Free services where you don’t pay for the service but rather, for the resources created by the services (choose three)
Elastic Beanstalk
EC2
CloudFormation
IAM
Auto Scaling Group
VPC
Elastic Beanstalk
CloudFormation
Auto Scaling Group
Two examples of free tier service:
E2 large instance
S3, EBS, ELB, AWS Data transfer (up to a certain amount)
VPC
E2 micro instance
S3, EBS, ELB, AWS Data transfer (up to a certain amount)
E2 micro instance
On-demand instances have a minimum runtime of
1 second
10 seconds
6 seconds
60 seconds
60 seconds
On demand instances of Windows/Linux are charged
per every second
per every minute
per every hour
per every last breath of your dying body
per every second
on demand instances that are not Windows/Linux are charged
per every second
per every minute
per every hour
per every last breath of your dying body
Reserved instances require a commitment of either (choose two)
one year
one week
three months
three years
one year
three years
How much discount it offered on Reserved Instances in comparison to on-demand
10%
33%
75%
25%
75%
How much discount it offered on Spot Instances in comparison to on-demand
90%
33%
75%
25%
90%
This type of instance is where you bid for the instance and could lose the instance should you be outbid by someone offering a higher price.
Reserved Instance
Bid Instance
Blink instance
Spot instance
Spot
Dedicated Host instances require a commitment of either (choose two)
one year
one week
three months
three years
one year
three years
This type of instance runs on hardware dedicated to you
Your Instance
Just4You Instance
Sole instance
Dedicated Host
Dedicated host
This type of instance allows you to user your existing per-socket, or per-VM software license
Dedicated Host
Reserved Instance
Spot Instance
Savings Instance
Dedicated host
Dedicated host uses what type of billing (choose two)
Annual costs
Monthly
On-demand
Reserved for 1 or 3 years
on-demand
reserved for 1 or 3 years
Can both be used to launch EC2 instances onto physical servers that are dedicated for your use (choose two)
Dedication Mode
Dedicated Hosts
Dedicated Instances
Dedicated Nodes
Dedicated Hosts
Dedicates Instances
What are the pay factors for Lambda? (choose TWO)
Per API call
Per duration
Per duration x amount of RAM utilized
Per RAM utilized
per API call
per duration x amount of RAM utilized
