Section 5: AWS Organizations

Question 1

AWS Organizations

Answer 1

• collect, organize, and manage multiple AWS accounts.
• useful to create AWS accounts (enables to create one organization for many AWS accounts).
• ability to have a single bill called consolidated billing.
• manage accounts and provide governance across AWS accounts.
• includes root account and organizational units (OU).
• Can create accounts programmatically using the Organizations API.
• Can also use AWS SSO using an on-premises directory (e.g. Active Directory).
• Enablememr if CloudTrail in a management account and apply to members (centralized control of setting up API auditing, useful for compliance).

Lesson 77, 78 (last 3 bullets)

Question 2

Service Control Policies (SCPs)

Answer 2

• JSON policies to control the permissions available in an account.
• Controls tagging and what API actions are allowed in given account (can control the maximum available permissions within the account).
• SCPs are inherited by children OUs (e.g. SCP for parent Dev OU is inherited by child Prod OU).
• SCPs do not grant ANY permissions, they control the AVAILABLE permissions.
• SCPs cannot affect the root user in the management account.

EXAM CRAM
- Manage the maximum available permissions.
- Must have All Features enabled in Organization.
- Can be applied to accounts or OUs.
- Policies can be applied at different points in the hierarchy .
- SCPs affect only IAM Users and Roles - NOT resource policies.
- SCPs affect the root account in member accounts.
- SCPs do not affect any action performed by the management account.
- Deny list strategy:
(1) Uses the FullAWSAccess SCP.
(2) Attached to every OU and account.
(3) Overrides the implicit deny.
(4) Explicitly allows all permissions to flow down from the root.
(5) Create additional SCPs to explicitly deny permissions.
- Allow list strategy:
(1) FullAWSAccess is removed.
(2) No APIs are permitted anywhere unless you explicitly allow them.
(3) Create SCPs to allow permissions.
(4) SCPs must be attached to target account and every OU above it including root.

Lesson 78 (2nd bullet) and 80 (top bullet and 3 and 4 bullets) and 82 (last bullet, last 15 seconds) and 84 (very bottom bullets)

Question 3

Main (Management/Master/Root) Account

Answer 3

Called the managememt account. Top of the hierarchy and connect other accounts to it by creating an organization in that Main/Management/Master/Root account.

Lesson 78

Question 4

AWS Organziation Feature Sets - Two(2)

Answer 4

• **Consolidated Billing
• All Features

Also good for volume pricing discounts.

Lesson 78

Question 5

Consolidated Billing feature (1 of 2)

Answer 5

Ability to have a single bill in the main account (called the management account).

Lesson 78

Question 6

All features (2 of 2)

Answer 6

Additional features:
- Consolidated billing.
- Service Control Policy.
- Tag Policies.

Lesson 78

Question 7

Root account

Answer 7

Create organization and connect in other accounts.

Lesson 78

Question 8

Organizational Units (OUs)

Answer 8

Type of organizational container to group accounts. And can apply Service Control Policy and Tag Policy.

Lesson 78

Question 9

Policies (SCP and Tagging)

Answer 9

Applied to root accounts and OUs.

Lesson 78

Question 10

Consolidated Billing

Answer 10

Paying Account - independent and cannot access resources of other accounts.
Linked Accounts - all linked accounts are independent (essentially members within the organization).

• Single payment method for all the AWS accounts in the Organization.
• Combined view of charges incurred by all your accounts.
• Pricing benefits from aggregated usage.
• Limit of 20 linked accounts for consolidated billing (default).
• Can help with cost control through volume discounts.
• Unused reserve instances are applied across the group.
• Paying accounts should be used for billing purposes only.

Lesson 78 (top) and 84 (bullets below)

Question 11

AWS Control Tower

Answer 11

• An extension to AWS Organizations.
• Sits over the top of AWS Organizations and provides additional control.
• Create a Landing Zone, which is a well-architected multi-account baseline.
• As part of the Landing Zone, the AWS Control Tower will setup a series of OUs and accounts (Security, Sandbox, Production).
• Security OU = Audit and Log Archive accounts.
• Sandbox OU = empty by default, but can create e.g. DevTest account.
• Production OU - also empty by default, but can create e.g. Prod account.
• Integrates with AWS SSO. Directory source can be SSO, SAML 2.0 IdP or Microsoft AD.
• Creates a series of Preventive Guardrails to disallow API actions using SCPs (similar to managed policies within IAM; managed SCPs).
• Creates Detective Guardrails to detect configuration violations. Used for governance and compliance (implemented using AWS Lambda functions and AWS Config rules).
• The root user in the management account can perform actions that guardrails would disallow.

Lesson 82

Question 12

AWS Organizations - Migration

Answer 12

• Accounts can be migrated between organizations.
• You must have root or IAM access to both the member and management accounts.
• Use the AWS Organizations console if it’s just a few accounts.
• Or use the API or AWS CLI if there are many accounts to migrate.