Ends in
00
days
00
hrs
00
mins
00
secs
LEARN MORE

SALE! SysOps (Newly Updated), SAA, CDA Practice Exams - $11.99 instead of $14.99 USD

AWS Organizations

  • It offers policy-based management for multiple AWS accounts.

Features

  • With Organizations, you can create groups of accounts and then apply policies to those groups.
  • Organizations provides you a policy framework for multiple AWS accounts. You can apply policies to a group of accounts or all the accounts in your organization.
  • AWS Organizations enables you to set up a single payment method for all the AWS accounts in your organization through consolidated billing. With consolidated billing, you can see a combined view of charges incurred by all your accounts, as well as take advantage of pricing benefits from aggregated usage, such as volume discounts for EC2 and S3.
  • AWS Organizations, like many other AWS services, is eventually consistent. It achieves high availability by replicating data across multiple servers in AWS data centers within its region.

Administrative Actions in Organizations

IT Certification Category (English)728x90
  • Create an AWS account and add it to your organization, or add an existing AWS account to your organization.
  • Organize your AWS accounts into groups called organizational units (OUs).
  • Organize your OUs into a hierarchy that reflects your company’s structure.
  • Centrally manage and attach policies to the entire organization, OUs, or individual AWS accounts.

Concepts

  • An organization is a collection of AWS accounts that you can organize into a hierarchy and manage centrally.
  • A management account is the AWS account you use to create your organization. You cannot change which account in your organization is the management account.
    • From the management account, you can create other accounts in your organization, invite and manage invitations for other accounts to join your organization, and remove accounts from your organization.
    • You can also attach policies to entities such as administrative roots, organizational units (OUs), or accounts within your organization.
    • The management account has the role of a payer account and is responsible for paying all charges accrued by the accounts in its organization.
  • A member account is an AWS account, other than the management account, that is part of an organization. A member account can belong to only one organization at a time. The management account has the responsibilities of a payer account and is responsible for paying all charges that are accrued by the member accounts.
  • An administrative root is the starting point for organizing your AWS accounts. The administrative root is the top-most container in your organization’s hierarchy. Under this root, you can create OUs to logically group your accounts and organize these OUs into a hierarchy that best matches your business needs.
  • An organizational unit (OU) is a group of AWS accounts within an organization. An OU can also contain other OUs enabling you to create a hierarchy.
  • A policy is a “document” with one or more statements that define the controls that you want to apply to a group of AWS accounts.
    • Service control policy (SCP) is a policy that specifies the services and actions that users and roles can use in the accounts that the SCP affects. SCPs are similar to IAM permission policies except that they don’t grant any permissions. Instead, SCPs are filters that allow only the specified services and actions to be used in affected accounts.

AWS Training AWS Organizations 2

  • AWS Organizations has two available feature sets:
    • All organizations support consolidated billing, which provides basic management tools that you can use to centrally manage the accounts in your organization.
    • If you enable all features, you continue to get all the consolidated billing features plus a set of advanced features such as service control policies.
  • You can remove an AWS account from an organization and make it into a standalone account.
  • Organization Hierarchy
    • Including root and AWS accounts created in the lowest OUs, your hierarchy can be five levels deep.
    • Policies inherited through hierarchical connections in an organization.
    • Policies can be assigned at different points in the hierarchy.
  • You can attach tags, or user-defined attributes, to Organizational Units, the organization’s root, and policies. These tags let you implement attribute-based access control (ABAC). ABAC is an authorization strategy that defines permissions based on tags attached to users and AWS resources.

Pricing

  • This service is free.

Managing Multi-Account AWS Environments Using AWS Organizations:

Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.

AWS Certified Security - Specialty Exam Study Path

Validate Your Knowledge

Question 1

A company requires corporate IT governance and cost oversight of all of its AWS resources across its divisions around the world. Their corporate divisions want to maintain administrative control of the discrete AWS resources they consume and ensure that those resources are separate from other divisions.

Which of the following options will support the autonomy of each corporate division while enabling the corporate IT to maintain governance and cost oversight? (Select TWO.)

  1. Use AWS Trusted Advisor
  2. Enable IAM cross-account access for all corporate IT administrators in each child account.
  3. Create separate VPCs for each division within the corporate IT AWS account.
  4. Use AWS Consolidated Billing by creating AWS Organizations to link the divisions’ accounts to a parent corporate account.
  5. Create separate Availability Zones for each division within the corporate IT AWS account.

Correct Answers: 2,4

In this scenario, enabling IAM cross-account access for all corporate IT administrators in each child account and using AWS Consolidated Billing by creating AWS Organizations to link the divisions’ accounts to a parent corporate account are the correct choices. The combined use of IAM and Consolidated Billing will support the autonomy of each corporate division while enabling corporate IT to maintain governance and cost oversight.

You can use an IAM role to delegate access to resources that are in different AWS accounts that you own. You share resources in one account with users in a different account. By setting up cross-account access in this way, you don’t need to create individual IAM users in each account. In addition, users don’t have to sign out of one account and sign into another in order to access resources that are in different AWS accounts.

You can use the consolidated billing feature in AWS Organizations to consolidate payment for multiple AWS accounts or multiple AISPL accounts. With consolidated billing, you can see a combined view of AWS charges incurred by all of your accounts. You can also get a cost report for each member account that is associated with your master account. Consolidated billing is offered at no additional charge. AWS and AISPL accounts can’t be consolidated together.

Using AWS Trusted Advisor is incorrect. Trusted Advisor is an online tool that provides you real-time guidance to help you provision your resources following AWS best practices. It only provides you alerts on areas where you do not adhere to best practices and tells you how to improve them. It does not assist in maintaining governance over your AWS accounts.

Creating separate VPCs for each division within the corporate IT AWS account is incorrect because creating separate VPCs would not separate the divisions from each other since they will still be operating under the same account and therefore contribute to the same billing each month.

Creating separate Availability Zones for each division within the corporate IT AWS account is incorrect because you do not need to create Availability Zones. They are already provided for you by AWS right from the start, and not all services support multiple AZ deployments. In addition, having separate Availability Zones in your VPC does not meet the requirement of supporting the autonomy of each corporate division.

References:
http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/consolidated-billing.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

Note: This question was extracted from our AWS Certified Solutions Architect Associate Practice Exams.

Question 2

A multinational manufacturing company has multiple AWS accounts in multiple AWS regions across North America, Europe, and Asia. You were instructed to set up AWS Organizations to centrally manage policies and have full administrative control across the multiple AWS accounts of the company, without requiring custom scripts and manual processes.

As the Solutions Architect, how can you achieve this requirement with the LEAST effort?

    Tutorials Dojo Study Guide and Cheatsheet
  1. Set up AWS Organizations by establishing cross-account access from the master account to all member AWS accounts of the company. The master account will automatically have full administrative control across all member accounts.
  2. Set up AWS Organizations by sending an invitation to the master account of your organization from each of the member accounts of the company. Create an OrganizationAccountAccessRole IAM role in the member account and grant permission to the master account to assume the role.
  3. Set up AWS Organizations by enabling trusted access to all member AWS accounts of the company. The master account will automatically have full administrative control across all member accounts.
  4. Set up AWS Organizations by sending an invitation to all member accounts of the company from the master account of your organization. Create an OrganizationAccountAccessRole IAM role in the member account and grant permission to the master account to assume the role.

Correct Answer: 4

After you create an organization and verify that you own the email address associated with the master account, you can invite existing AWS accounts to join your organization. When you invite an account, AWS Organizations sends an invitation to the account owner, who decides whether to accept or decline the invitation. You can use the AWS Organizations console to initiate and manage invitations that you send to other accounts. You can send an invitation to another account only from the master account of your organization.

If you are the administrator of an AWS account, you also can accept or decline an invitation from an organization. If you accept, your account becomes a member of that organization. Your account can join only one organization, so if you receive multiple invitations to join, you can accept only one.

When an invited account joins your organization, you do not automatically have full administrator control over the account, unlike created accounts. If you want the master account to have full administrative control over an invited member account, you must create the OrganizationAccountAccessRole IAM role in the member account and grant permission to the master account to assume the role.

The option that says: Set up AWS Organizations by establishing cross-account access from the master account to all member AWS accounts of the company. The master account will automatically have full administrative control across all member accounts is incorrect because a cross-account access is primarily used for scenarios where you need to grant your IAM users permission to switch to roles within your AWS account or to roles defined in other AWS accounts that you own.

The option that says: Set up AWS Organizations by sending an invitation to the master account of your organization from each of the member accounts of the company. Create an OrganizationAccountAccessRole IAM role in the member account and grant permission to the master account to assume the role is incorrect because it entails a lot of effort in sending an individual invitation to the master account from each of the member accounts of the company. The scenario says that you should achieve this requirement with the LEAST effort and you can do this by sending an invitation to all member accounts of the company from the master account of your organization.

The option that says: Set up AWS Organizations by enabling trusted access to all member AWS accounts of the company. The master account will automatically have full administrative control across all member accounts is incorrect because a trusted access is primarily used to enable a specific AWS service (called a trusted service) to perform tasks in your organization and its accounts on your behalf.

Reference:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_invites.html

Note: This question was extracted from our AWS Certified Solutions Architect Professional Practice Exams.

For more AWS practice exam questions with detailed explanations, visit the Tutorials Dojo Portal:

Tutorials Dojo AWS Practice Tests

References:
https://docs.aws.amazon.com/organizations/latest/userguide/
https://aws.amazon.com/organizations/features/
https://aws.amazon.com/organizations/faqs/

SysOps Practice Tests Updated to SOA-C02. SALE on SysOps, SAA, CDA Practice Exams!

Pass your AWS, Azure, and Google Cloud Certifications with the Tutorials Dojo Portal

Tutorials Dojo portal

Our Bestselling AWS Certified Solutions Architect Associate Practice Exams

AWS Certified Solutions Architect Associate Practice Exams

Enroll Now – Our AWS Practice Exams with 95% Passing Rate

AWS Practice Exams Tutorials Dojo

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

Tutorials Dojo Study Guide and Cheat Sheets-2

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Browse Other Courses

Generic Category (English)300x250

Recent Posts

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?

error: Content is protected !!