AWS Organizations

  • It offers policy-based management for multiple AWS accounts.

Features

  • With Organizations, you can create groups of accounts and then apply policies to those groups.
  • Organizations provides you a policy framework for multiple AWS accounts. You can apply policies to a group of accounts or all the accounts in your organization.
  • AWS Organizations enables you to set up a single payment method for all the AWS accounts in your organization through consolidated billing. With consolidated billing, you can see a combined view of charges incurred by all your accounts, as well as take advantage of pricing benefits from aggregated usage, such as volume discounts for EC2 and S3.
  • AWS Organizations, like many other AWS services, is eventually consistent. It achieves high availability by replicating data across multiple servers in AWS data centers within its region.

Administrative Actions in Organizations

  • Create an AWS account and add it to your organization, or add an existing AWS account to your organization.
  • Organize your AWS accounts into groups called organizational units (OUs).
  • Organize your OUs into a hierarchy that reflects your company’s structure.
  • Centrally manage and attach policies to the entire organization, OUs, or individual AWS accounts.

Concepts

  • An organization is a collection of AWS accounts that you can organize into a hierarchy and manage centrally.
  • A master account is the AWS account you use to create your organization. You cannot change which account in your organization is the master account.
    • From the master account, you can create other accounts in your organization, invite and manage invitations for other accounts to join your organization, and remove accounts from your organization.
    • You can also attach policies to entities such as administrative roots, organizational units (OUs), or accounts within your organization.
    • The master account has the role of a payer account and is responsible for paying all charges accrued by the accounts in its organization.
  • A member account is an AWS account, other than the master account, that is part of an organization. A member account can belong to only one organization at a time. The master account has the responsibilities of a payer account and is responsible for paying all charges that are accrued by the member accounts.
  • An administrative root is the starting point for organizing your AWS accounts. The administrative root is the top-most container in your organization’s hierarchy. Under this root, you can create OUs to logically group your accounts and organize these OUs into a hierarchy that best matches your business needs.
  • An organizational unit (OU) is a group of AWS accounts within an organization. An OU can also contain other OUs enabling you to create a hierarchy.
  • A policy is a “document” with one or more statements that define the controls that you want to apply to a group of AWS accounts.
    • Service control policy (SCP) is a policy that specifies the services and actions that users and roles can use in the accounts that the SCP affects. SCPs are similar to IAM permission policies except that they don’t grant any permissions. Instead, SCPs are filters that allow only the specified services and actions to be used in affected accounts.

AWS Training AWS Organizations 2

  • AWS Organizations has two available feature sets:
    • All organizations support consolidated billing, which provides basic management tools that you can use to centrally manage the accounts in your organization.
    • If you enable all features, you continue to get all the consolidated billing features plus a set of advanced features such as service control policies.
  • You can remove an AWS account from an organization and make it into a standalone account.
  • Organization Hierarchy
    • Including root and AWS accounts created in the lowest OUs, your hierarchy can be five levels deep.
    • Policies inherited through hierarchical connections in an organization.
    • Policies can be assigned at different points in the hierarchy.

Pricing

  • This service is free.

Managing Multi-Account AWS Environments Using AWS Organizations:

 

Validate Your Knowledge

Question 1

You are working as a Solutions Architect in a global investment bank which requires corporate IT governance and cost oversight of all of their AWS resources across their divisions around the world. Their corporate divisions want to maintain administrative control of the discrete AWS resources they consume and ensure that those resources are separate from other divisions.

Which of the following options will support the autonomy of each corporate division while enabling the corporate IT to maintain governance and cost oversight? (Choose 2)

  1. Use AWS Trusted Advisor
  2. Enable IAM cross-account access for all corporate IT administrators in each child account.
  3. Create separate VPCs for each division within the corporate IT AWS account.
  4. Use AWS Consolidated Billing by creating AWS Organizations to link the divisions’ accounts to a parent corporate account.
  5. Create separate Availability Zones for each division within the corporate IT AWS account.

Show me the answer!

Correct Answers: 2,4

In this scenario, Options 2 and 4 are the correct choices. The combined use of IAM and Consolidated Billing will support the autonomy of each corporate division while enabling corporate IT to maintain governance and cost oversight.

Tutorials Dojo Study Guide and Cheatsheet

You can use an IAM role to delegate access to resources that are in different AWS accounts that you own. You share resources in one account with users in a different account. By setting up cross-account access in this way, you don’t need to create individual IAM users in each account. In addition, users don’t have to sign out of one account and sign into another in order to access resources that are in different AWS accounts.

You can use the consolidated billing feature in AWS Organizations to consolidate payment for multiple AWS accounts or multiple AISPL accounts. With consolidated billing, you can see a combined view of AWS charges incurred by all of your accounts. You can also get a cost report for each member account that is associated with your master account. Consolidated billing is offered at no additional charge. AWS and AISPL accounts can’t be consolidated together.

Option 1 is incorrect. Trusted Advisor is an online tool that provides you real-time guidance to help you provision your resources following AWS best practices. It only provides you alerts on areas where you do not adhere to best practices and tells you how to improve them. It does not assist in maintaining governance over your AWS accounts.

Option 3 is incorrect because creating separate VPCs would not separate the divisions from each other since they will still be operating under the same account and therefore contribute to the same billing each month.

Option 5 is incorrect because you do not need to create Availability Zones. They are already provided for you by AWS right from the start, and not all services support multiple AZ deployments. In addition, having separate Availability Zones in your VPC does not meet the requirement of supporting the autonomy of each corporate division.

References:
http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/consolidated-billing.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

Question 2

A multinational bank has recently set up AWS Organizations to manage their multiple AWS accounts from their various business units. The Senior Solutions Architect attached the SCP below to an Organizational Unit (OU) to define the services that its member accounts can use:

{
  “Version”:”2012-10-17″,
  “Statement”:[
  {
  “Effect”:”Allow”,
  “Action”:[“EC2:*”,”S3:*”],
  “Resource”:”*”
  }
  ] }

In one of the member accounts under that OU, an IAM user tried to create a new S3 bucket but was unsuccessful. Which of the following is the root cause of this issue?

  1. The IAM user being used by the administrator does not have IAM policies which explicitly grant EC2 or S3 service actions.
  2. All accounts within the OU does not automatically inherit the policy attached to it. You still have to manually attach the SCP to the individual AWS accounts of the OU.
  3. An IAM policy that allows the use of S3 and EC2 services should be the one attached in the OU instead of an SCP.
  4. You should use the root user of the account to be able to create the new S3 bucket.

Show me the answer!

Correct Answer: 1

A service control policy (SCP) determines what services and actions can be delegated by administrators to the users and roles in the accounts that the SCP is applied to. An SCP does not grant any permissions. Instead, SCPs are JSON policies that specify the maximum permissions for an organization or organizational unit (OU). The SCP limits permissions for entities in member accounts, including each AWS account root user.

If the SCP allows the actions for a service, the administrator of the account can grant permissions for those actions to the users and roles in that account, and the users and roles can perform the actions if the administrators grant those permissions. If the SCP denies actions for a service, the administrators in that account can’t effectively grant permissions for those actions, and the users and roles in the account can’t perform the actions even if granted by an administrator.

Users and roles must still be granted permissions using IAM permission policies attached to them or to groups. The SCPs filter the permissions granted by such policies, and the user can’t perform any actions that the applicable SCPs don’t allow. Actions allowed by the SCPs can be used if they are granted to the user or role by one or more IAM permission policies. Hence, Option 1 is correct since the IAM user being used by the administrator does not have IAM policies which explicitly grant EC2 or S3 service actions.

Option 2 is incorrect because an SCP attached to an OU is automatically inherited by all accounts within that same OU. The main cause of this issue is the missing IAM policy in the account which explicitly grants EC2 or S3 service actions to the IAM user.

Option 3 is incorrect because you cannot directly assign an IAM policy to an OU. In addition, there is no attached IAM policy that allows EC2 or S3 service actions to the IAM user.

Option 4 is incorrect because SCPs do affect the root user along with all IAM users and standard IAM roles in any affected account. The issue lies on the missing IAM policy of the account and not with the SCP, OU, or its AWS Organizations settings.

References:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_about-scps.html
https://aws.amazon.com/organizations/faqs/

For more AWS practice exam questions with detailed explanations, check this out:

Tutorials Dojo AWS Practice Tests

XX

Sources:
https://docs.aws.amazon.com/organizations/latest/userguide/
https://aws.amazon.com/organizations/features/
https://aws.amazon.com/organizations/faqs/