Manazing Multiple AWS Accounts with Organizations
AWS Organization allows us to create multiple AWS accounts and apply standards. In the Prod, Development, Beta accounts. If we separate out accounts, something that happens in one account does not affect another account.
Logging Account – an AWS account that has S3 buckets. Cloudtrail can centralize logs on one account.
Programatic creation of new aws accounts
Combine and share reserved instances – it can get the billing discount
The primary main account is where you get the bills
Service Control Policies – uses the same JSON IAM policy space. Applies as a Global Policy – this would overwrite all policies including the root account. An allow statement never give permissions, it is only the exclusion of the allow. The Deny is actually less restrictive than the allow when it applies to SCPs.
SCPs are the best way to have the final say in what you can do in your AWS account. Its important to know you can designate a single AWS account to hold your logs. Billing can easily roll up to a single account for payment. RIs can be shared across accounts. This allows you to have one “billing” account to hold the RIs.
Sharing Resources with AWS RAM
Resource Access Manager. AWS Resource Access Manager is a free service that allows you to share AWS resources with other accounts and within your organization. AWS RAM allows you easily share resources rather than having to create duplicate copies in your different accounts.
- Transit Gateways
- License Manager
- VPC subnets
- Route 53 Resolver
- Dedicated Hosts
RAM vs VPC Peering? In general if you’re sharing resources within the same region, use RAM. If you need to share resources across regions – use VPC Peering. RAM is free, but the user creating the architecture pays. RAM easily allows organizations to share architecture.
Cross account role access
Duplicating IAM accounts creates a security vulnerability. Cross-account role access gives you the ability to setup temporary access you can easily control.
- create IAM role
- Grant access to Groups (Developers, Testers)
- Test Access
It is preferred to create cross-account roles instead of IAM credentials.
Any temporary employees get role access, and thats it. No permanent credentials. Roles are temporary: you can’t permanently assume a role.
Inventory Management with AWS Config
Query our resources. How many instances do I have, it looks like something was deleted but what was it?
Enforce rules can be created to flag when something is going wrong. Whenever a rule is violated, you can be alerted to even have it automatically fixed.
Learn. What is the history of your environment? When did something change? Who made that call?
Resource Timeline: Can see the events that happen in CloudTrail, difference in configurations,
AWS Config is not a free service. Standards – config is the best way to check what standards are applied to your architecture. You can track previously deleted AWS resources with Config.
Offloading Active Directory to Directory Service
Fully managed version of Active Directory. It allows you to offload thee painful parts of keeping AD online to AWS while giving you the full control and flexibility AD provides.
Managed Microsoft AD. All AD tools.
AD Connector – AD in the physical office/on prem and it connects a tunnel between the AD environment and leaves an endpoint in AWS to authenticate.
Simple AD – standalone directory powered by Linux Samba Active Directory Compatible Server.
Use cases are managed AD and AD connector. Managed Microsoft AD is for when we want to migrate everything into AWS.
You’ll know the use cases for each type of Directory Service. Whenever possible, use Directory Service over EC2 instances for AD. Its OK to leave AD on-premises. This is frequently the case in exam scenarios.
Exploring with Cost Explorer
Why do we budget? What is cost explorer? Cost Explorer Features.
We budget to know where the money is going. AWS Cost Explorer is an easy-to-use tool that allows you to visualize your cloud costs. You can generate reports based on a variety of factors, including resource tags.
Service – easily break down costs on a service-by-service basis. Time – what was your bill last month? How about next month? Filter – where is the spend coming from? Filter on tag, categories, etc.
A tool that allows organizations to easily plan and set expectations around cloud cost. Set budgets for users to spend on a monthly basis.
Cost Budgets “How much are we spending”
Usage Budgets “How much are we using”
Reservation Budgets “are we being efficient with our RIs?”
Savings Plan Budgets – “is what we’re doing covered by our savings plan?”
Auditing with Trusted Advisor
Fully managed best-practice auditing tool. It will scan 5 different parts of your account and it will look fo you where you could improve your adoption of the recommended best practices provided by AWS.
- Cost Optimization – are you spending money on resources you don’t need?
- Performance – Are your services configured properly?
- Security – Is your AWS architecture full of vulnerabilities?
- Fault Tolerance – Are you protected when something fails?
- Service Limits – Do you have room to scale?
Technically its 100% free, but you get additional checks when you pay for support.
Focus on answers with a notification component. Trusted advisor uses SNS to notify users. TO get the most useful checks you’ll need a business or enterprise support plan. Trusted advisor will not fix the problems for you, it needs lambda/eventBridge (CloudWatch Events) to kickoff solving the problem for you.
Can it be centralized? Is this asking for a tool or a solution I can store in one AWS account and have it spread across the AWS architecture. Maybe its a centralized store for CloudTrail logs, or manage my Active Directory.
How do we standardize? Exam wants to layout how to standardize by using governance tools, e.g. how to standardize security group rules, how do I centralize logs, how do I use a config rule for that to happen?
How do we enforce the standards? Have to define the standard, pick thee tool to enforce it
Are the users internal or external? Internal use may use AD, external may use Cognito.
Service control policies (SCPs) are the only way to restrict root accounts. They have the ultimate and final say and overwrite any permission sets.
Centralized logs are always the right answer. CloudTrail offers support to log everything into a single AWS account. Never want to spread logs out to multiple locations.
Isolating workloads into separate accounts is a great way to add more layers of security and controls. Avoid everything that lump it in one account. A Dev/QA/Prod/Staging/Logging account allows for isolation.
3 Exam Tips for AWS Config
- Standardization – anytime a rule nets to be setup, use config to setup compliance
- Automate the Response – config offers the ability to automatically remediate problems using automation documents
- Know what changed – config is the one stop shop to see what changed. it will provide you with a history of your architecture.
User management requires the right tool. Make sure you’re using AWS SSO for internal user management and Cognito for external.
AD is a common topic and should make you think Directory Service. If its lift and shift, pick Managed Microsoft AD. If AD is staying on premises, select AD Connector.
Cross-account role access is always better solution than creating unnecessary IAM credentials. No correct answers will show creating duplicate IAM credentials.