Note_Tech

All technological notes.

Project maintained by simonangel-fong Hosted on GitHub Pages — Theme by mattgraham

AWS - Organizations

AWS Organizations
- Global service
- Allows to manage multiple AWS accounts
Typs of Account
- management account
  - The main account
- member accounts
  - Other accounts
  - Member accounts can only be part of one organization
Consolidated Billing
- across all accounts
- single payment method on the management account
- Pricing benefits from aggregated usage (volume discount for EC2, S3…)
- Shared reserved instances and Savings Plans discounts across accounts
API is available to automate AWS account creation

organ_diagram

ou_example01

ou_example02

Advantages
- Admin
  - Establish Cross Account Roles for Admin purposes
- Billing
  - Use tagging standards for billing purposes
- Log
  - Send CloudWatch Logs to central logging account
- Audit
  - Enable CloudTrail on all accounts, send logs to central S3 account
- Security
  - Multi Account vs One Account Multi VPC(more separated, more security)
  - SCP

Service Control Policies (SCP)
- the IAM policies applied to OU or Accounts to restrict Users and Roles
- They do not apply to the management account (full admin power)
- Must have an explicit allow
  - does not allow anything by default – like IAM
Sample:
- You have strong regulatory requirements to only allow fully internally audited AWS services in production. You still want to allow your teams to experiment in a development environment while services are being audited. How can you best set this up?
  - Create Organ and create Prod and Dev OU, apply SCP on Prod OU
- You have 5 AWS Accounts that you manage using AWS Organizations. You want to restrict access to certain AWS services in each account. How should you do that?
  - Organ SCP