What is AWS organizations used for?
Organizations provides you a policy framework for multiple AWS accounts. You can apply policies to a group of accounts or all the accounts in your organization.
Administrative Actions in Organizations Show
Concepts
Pricing
Managing Multi-Account AWS Environments Using AWS Organizations: Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide. Validate Your KnowledgeQuestion 1A company requires corporate IT governance and cost oversight of all of its AWS resources across its divisions around the world. Their corporate divisions want to maintain administrative control of the discrete AWS resources they consume and ensure that those resources are separate from other divisions. Which of the following options will support the autonomy of each corporate division while enabling the corporate IT to maintain governance and cost oversight? (Select TWO.)
Show me the answer! Correct Answers: 2,4 You can use an IAM role to delegate access to resources that are in different AWS accounts that you own. You share resources in one account with users in a different account. By setting up cross-account access in this way, you don’t need to create individual IAM users in each account. In addition, users don’t have to sign out of one account and sign into another in order to access resources that are in different AWS accounts. You can use the consolidated billing feature in AWS Organizations to consolidate payment for multiple AWS accounts or multiple AISPL accounts. With consolidated billing, you can see a combined view of AWS charges incurred by all of your accounts. You can also get a cost report for each member account that is associated with your master account. Consolidated billing is offered at no additional charge. AWS and AISPL accounts can’t be consolidated together. The combined use of IAM and Consolidated Billing will support the autonomy of each corporate division while enabling corporate IT to maintain governance and cost oversight. Hence, the correct choices are: – Enable IAM cross-account access for all corporate IT administrators in each child account – Use AWS Consolidated Billing by creating AWS Organizations to link the divisions’ accounts to a parent corporate account Using AWS Trusted Advisor and AWS Resource Groups Tag Editor is incorrect. Trusted Advisor is an online tool that provides you real-time guidance to help you provision your resources following AWS best practices. It only provides you alerts on areas where you do not adhere to best practices and tells you how to improve them. It does not assist in maintaining governance over your AWS accounts. Additionally, the AWS Resource Groups Tag Editor simply allows you to add, edit, and delete tags to multiple AWS resources at once for easier identification and monitoring. Creating separate VPCs for each division within the corporate IT AWS account. Launch an AWS Transit Gateway with equal-cost multipath routing (ECMP) and VPN tunnels for intra-VPC communication is incorrect because creating separate VPCs would not separate the divisions from each other since they will still be operating under the same account and therefore contribute to the same billing each month. AWS Transit Gateway connects VPCs and on-premises networks through a central hub and acts as a cloud router where each new connection is only made once. For this particular scenario, it is suitable to use AWS Organizations instead of setting up an AWS Transit Gateway since the objective is for maintaining administrative control of the AWS resources and not for network connectivity. Creating separate Availability Zones for each division within the corporate IT AWS account. Improve communication between the two AZs using the AWS Global Accelerator is incorrect because you do not need to create Availability Zones. They are already provided for you by AWS right from the start, and not all services support multiple AZ deployments. In addition, having separate Availability Zones in your VPC does not meet the requirement of supporting the autonomy of each corporate division. The AWS Global Accelerator is a service that uses the AWS global network to optimize the network path from your users to your applications and not between your Availability Zones. References: http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/consolidated-billing.html Note: This question was extracted from our AWS Certified Solutions Architect Associate Practice Exams. Question 2A multinational manufacturing company has multiple AWS accounts in multiple AWS regions across North America, Europe, and Asia. The solutions architect has been tasked to set up AWS Organizations to centrally manage policies and have full administrative control across the multiple AWS accounts owned by the company, without requiring custom scripts and manual processes. Which of the following options is the recommended implementation to achieve this requirement with the LEAST effort?
Show me the answer! Correct Answer: 4 After you create an Organization and verify that you own the email address associated with the master account, you can invite existing AWS accounts to join your organization. When you invite an account, AWS Organizations sends an invitation to the account owner, who decides whether to accept or decline the invitation. You can use the AWS Organizations console to initiate and manage invitations that you send to other accounts. You can send an invitation to another account only from the master account of your organization. If you are the administrator of an AWS account, you also can accept or decline an invitation from an organization. If you accept, your account becomes a member of that organization. Your account can join only one organization, so if you receive multiple invitations to join, you can accept only one. When an invited account joins your organization, you do not automatically have full administrator control over the account, unlike created accounts. If you want the master account to have full administrative control over an invited member account, you must create the Therefore, the correct answer is: Set up AWS Organizations by sending an invitation to all member accounts of the company from the master account of your organization. Create an The option that says: Set up AWS Organizations by establishing cross-account access from the master account to all member AWS accounts of the company. The master account will automatically have full administrative control across all member accounts is incorrect. Cross-account access is primarily used for scenarios where you need to grant your IAM users permission to switch to roles within your AWS account or to roles defined in other AWS accounts that you own. The option that says: Set up AWS Organizations by sending an invitation to the master account of your organization from each of the member accounts of the company. Create an The option that says: Use AWS Control Tower from the master account and enroll all the member AWS accounts of the company. AWS Control Tower will automatically provision the needed IAM permissions to have full administrative control across all member accounts What are benefits of using AWS organizations?AWS Organizations. Quickly scale your environment by programmatically creating new AWS accounts for your resources and teams at no additional charge.. Simplify user-based permission management to give teams the freedom to build while staying within targeted governance boundaries.. What is the difference between AWS organizations and IAM?An IAM Group is to place certain IAM users with a specific set of policies (permissions ) to access certain resources; i.e: EC2, S3, etc. However, AWS Organization OU's are a way to manage multiple AWS accounts and apply specific policies to the group of accounts.
What type of organization is AWS?AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage.
What is AWS organizations Unit?An organizational unit (OU) is a logical grouping of accounts in your organization, created using AWS Organizations. OUs enable you to organize your accounts into a hierarchy and make it easier for you to apply management controls. AWS Organizations policies are what you use to apply such controls.
|