AWS Orgnizations & Accounts Flashcards Preview

AWS 102 > AWS Orgnizations & Accounts > Flashcards

Flashcards in AWS Orgnizations & Accounts Deck (45)
Loading flashcards...
1
Q

Can I have one or more organization master account?

A

No, each orgnization has one master account and this account.

2
Q

If I set a policy at the master account, how will this policy be applied to all other accounts in the orgnization?

A

The policy is been set at the highest point in the organizational structure and as such will be applied ot all other accounts.

3
Q

What two modes do organisation have an available?

A
  • Consolidated billing

- All Features

4
Q

Why would I use consolidated billing?

A
  • You get to avail of the volume discounts

- One bill for all accounts

5
Q

I have several accounts as part of my organization, I want too easily logging to each account without having to log out of the main org account as I also do not know what the root user of each account is, how cna I do this?

A

When you create these new sub-accounts, you have to select an IAM role name, this IAM ROLE is used to grant admin access to the account so you can switch to the account. This role has a trust relationship with the org account and permissions of the administrator.

6
Q

I am creating a new account as part of my organization account, I want to allow this account only have access to S3 service, how cna I do this?

A

Use organizational policies to disable the services

7
Q

What is a service control policy?

A

It enables you to control what services in an account can be accessed.

8
Q

Will a service control policy have any effect on a master account?

A

No

9
Q

Do service control policies grant you to use services?

A

No, you have to have the permission in a normal user or resource policy and the service control policy to get access.

10
Q

What is a service limit in an aws account?

A

It iis a limit put on a resource, like the number of EIPs, you can request top have limits increased.

11
Q

I am designing a solution that enables my user access AWS console, I will have 10K users, what is the best approach?

A

AWS accounts have a 5K limit so you will have to use a federation approach with SAML. This is where you will use SAML with an IP like ASD federation.

12
Q

In a multi-account approach for AWS, what is the publishing account used for?

A

This is where you put all you AMI’s and centrally manage them.

13
Q

In a multi-account approach for AWS, what is the logging account used for?

A

It is the one account/place where all logging are stored and managed for every account.

14
Q

In a multi-account approach for AWS, I need to set up IAM for the multiple accounts, how cna I do this?

A

You are going to create a role in the accounts and in the IAM account, you are going to manage your users but creating a group and giving them the permission to assume the role created in the other accounts.

15
Q

What are the organizations account structure you should use to provide separation of concerns?

A

B.I.L.P

  • Billing (Master billing account)
  • Identity account (Central IAM account)
  • Logging account (All the logs into this account)
  • Publishing account (Service catalogue, EC2 AMI)
16
Q

How should I arrange IAM for an Organization?

A

One separate account for IAM management and cross-account IAM roles in other accounts or Federation.

17
Q

When using Organizations how should we arrange to the logs of each of the account?

A

Creat on account for logging, feed all logs form all other accounts to this account, you can do this by selecting apply trail to all accounts when creating a cloud trail in cloud watch logs.

18
Q

I what my Organization logging account to capture VPC flow logs, what are my options?

A

You can set up VPC flow logs to send data to CloudWatch

19
Q

I want to ensure that I have a centralized way to manage AMI & Service Catalogue, what are my options?

A

Create a publishing account and use this account for central management of AMI or

20
Q

What are the primary features of Organizations?

A
  • Account management
    Consolidated billing
  • Policy-based management
21
Q

Are tags supported in organizations?

A

Yes

22
Q

What are the three key functions of an AWS account?

A
  • Authentication
  • Authorization
  • Billing
23
Q

When you create a new AWS account,what is the default user?

A
  • Root user
24
Q

What is principal, authenticate and authorize?

A

Principal: Who was authenticated and is authorized/or not.

25
Q

How can a principal authenticate with AWS?

A

A principal can use,

  • user name/password
  • key pairs
26
Q

What are the two functions stores provided by IAM?

A
  • Identity store

- Access store

27
Q

Do service control policies give you access to services?

A

No, you can only deny access

28
Q

Is the default of a service control policy a deny or allow?

A

Deny, to allow you have to explicitly call it our in the policy.

29
Q

If there is an explicit Deny, and also an explicit Allow, will that Allow win and you will be able to use the service?

A

No, the explicit Deny will win and you will be denied access.

30
Q

Why would you use orgnizations?

A
  • Consolidated billing
  • Centralized account management
  • Tagging policies
  • Hierarchical grouping of your accounts to meet your budgetary, security, or compliance need
  • Adds a higher level to IAM, where you can control the services available on the accounts, even the root user of the account.
31
Q

I am having trouble with developer adding tags that are formatted differently between the developer, I am also using Orgnizations, how cna I fix this?

A

Create a Tagging policy and add to the orgnization, with the tagging policy you can enforce tags and format.

32
Q

Are you charged for tagging policies?

A

No

33
Q

Can I add Tags to users and roles?

A

Yes 100%

34
Q

Are most resources in AWS allowing tags?

A

Yes most all resources in AWS allow tags

35
Q

I have developers gone wild creating tags everywhere and in many different formats, how solve this, explain the steps?

A
  • In orgnizations, you will have to enable tag policies in the setting
  • Create a tag policy in the orgnizations.
  • Attach the Tag Policy to the root, account, OU
36
Q

How cna I enforce resource to not be created if they are not tagged correctly?

A

Use a tagging policy, select enforce no

37
Q

I wnat to know what Tages are not compliant, is this possible?

A

Yes, there is a feature to see non-compliant tagging report.

38
Q

Is orgnization a regional service?

A

No, it is a global service like IAM

39
Q

Does organizations operate a eventual consistent model?

A

Yes, 100%, all data is not sync but is eventually consistent.

40
Q

What is the cost of Orgnizations?

A

No charge, like IAM

41
Q

Can you delete the orgnization, explain?

A

Yes, remove accounts and also remove the master account by deleting the orgnization.

42
Q

I want to monitor changes in my Orgnization, and send an email to me when changes happen, how can I do this?

A

You use CloudWatch Events (cloud trail selector) to trigger an SNS message to be sent by email to the subscriber.

43
Q

I want to monitor changes in my Orgnization, and have an entry put in DynamoDB for each change, how can I do this?

A

You can use Cloudwatch events (cloud trail selector) to trigger a lambda function thet can write an entry in DynamoDB

44
Q

What is enable All Features?

A

It enables all features of orgnizations like consolidated billing, tagging policies, service control policies.

45
Q

I have Resource Manager and I wnat to enable this service in my Orgnization, explain how I do this?

A

You enable this service in the setting of the orgnization, what you are doing is enabling this service as a trusted service of the orgnization. This means the service can create service linked roles on all the accounts in your organization