AWS Organizations
- AWS Organizations is an account management service that enables consolidating multiple AWS accounts into an organization that can be created and centrally managed.
- AWS Organizations include consolidated billing and account management capabilities that enable one to better meet the budgetary, security, and compliance needs of the business.
- As an administrator of an organization, new accounts can be created in an organization, and existing accounts invited to join the organization.
- AWS Organizations enables you to
- Automate AWS account creation and management, and provision resources with AWS CloudFormation Stacksets.
- Maintain a secure environment with policies and management of AWS security services
- Govern access to AWS services, resources, and regions
- Centrally manage policies across multiple AWS accounts
- Audit the environment for compliance
- View and manage costs with consolidated billing
- Configure AWS services across multiple accounts
AWS Organization Features
- Centralized management of all of the AWS accounts
- Combine existing accounts into or create new ones within an organization that enables them to be managed centrally
- Policies can be attached to accounts that affect some or all of the accounts
- Consolidated billing for all member accounts
- Consolidated billing is a feature of AWS Organizations.
- Master or Management account of the organization can be used to consolidate and pay for all member accounts.
- Hierarchical grouping of accounts to meet budgetary, security, or compliance needs
- Accounts can be grouped into organizational units (OUs) and each OU can be attached to different access policies.
- OUs can also be nested to a depth of five levels, providing flexibility in how you structure your account groups.
- Control over AWS services and API actions that each account can access
- As an administrator of the master account of an organization, access to users and roles in each member account can be restricted to which AWS services and individual API actions
- Organization permissions overrule account permissions.
- This restriction even overrides the administrators of member accounts in the organization.
- When AWS Organizations blocks access to a service or API action for a member account, a user or role in that account can’t access any prohibited service or API action, even if an administrator of a member account explicitly grants such permissions in an IAM policy.
- Integration and support for AWS IAM
- IAM provides granular control over users and roles in individual accounts.
- Organizations expand that control to the account level by giving control over what users and roles in an account or a group of accounts can do.
- Users can access only what is allowed by both the Organization policies and IAM policies.
- Resulting permissions are the logical intersection of what is allowed by AWS Organizations at the account level, and what permissions are explicitly granted by IAM at the user or role level within that account.
- If either blocks an operation, the user can’t access that operation.
- Integration with other AWS services
- Select AWS services can be enabled to access accounts in the organization and perform actions on the resources in the accounts.
- When another service is configured and authorized to access the organization, AWS Organizations creates an IAM service-linked role for that service in each member account.
- Service-linked role has predefined IAM permissions that allow the other AWS service to perform specific tasks in the organization and its accounts.
- All accounts in an organization automatically have a service-linked role created, which enables the AWS Organizations service to create the service-linked roles required by AWS services for which you enable trusted access
- These additional service-linked roles come with policies that enable the specified service to perform only those required tasks
- Data replication that is eventually consistent
- AWS Organizations is eventually consistent.
- AWS Organizations achieve high availability by replicating data across multiple servers in AWS data centers within its region.
- If a request to change some data is successful, the change is committed and safely stored.
- However, the change must then be replicated across multiple servers.
AWS Organizations Terminology and Concepts
Organization
- An entity created to consolidate AWS accounts that can be administered as a single unit.
- An organization has one master/management account along with zero or more member accounts.
- An organization has the functionality that is determined by the feature set that you enable i.e. All features or Consolidated Billing only
Root
- Parent container for all the accounts for the organization.
- Policy applied to the root is applied to all the organizational units (OUs) and accounts in the organization.
- There can be only one root currently and AWS Organization automatically creates it when an organization is created
Organizational Unit (OU)
- A container for accounts within a root.
- An OU also can contain other OUs, enabling hierarchy creation that resembles an upside-down tree, with a root at the top and branches of OUs that reach down, ending in accounts that are the leaves of the tree.
- A policy attached to one of the nodes in the hierarchy flows down and affects all branches (OUs) and leaves (accounts) beneath it.
- An OU can have exactly one parent, and currently, each account can be a member of exactly one OU.
Account
- A standard AWS account that contains AWS resources.
- Each account can be directly in the root or placed in one of the OUs in the hierarchy.
- Policy can be attached to an account to apply controls to only that one account.
- Accounts can be organized in a hierarchical, tree-like structure with a root at the top and organizational units nested under the root.
- Master or Management account
- Primary account which creates the organization
- can create new accounts in the organization, invite existing accounts, remove accounts, manage invitations, and apply policies to entities within the organization.
- has the responsibilities of a payer account and is responsible for paying all charges that are accrued by the member accounts.
- Member account
- Rest of the accounts within the organization are member accounts.
- An account can be a member of only one organization at a time.
Invitation
- Process of asking another account to join an organization.
- An invitation can be issued only by the organization’s management account and is extended to either the account ID or the email address that is associated with the invited account.
- Invited account becomes a member account in the organization after it accepts the invitation.
- Invitations can be sent to existing member accounts as well, to approve the change from supporting only consolidated billing features to supporting all features.
- Invitations work by accounts exchanging handshakes.
Handshake
- A multi-step process of exchanging information between two parties.
- Primary use in AWS Organizations is to serve as the underlying implementation for invitations.
- Handshake messages are passed between and responded to by the handshake initiator (management account) and the recipient (member account) in such a way that it ensures that both parties always know what the current status is.
Available Feature Sets
Consolidated billing
- provides shared or consolidated billing functionality which includes pricing benefits for aggregated usage.
All Features
- includes all the functionality of consolidated billing and advanced features that give more control over accounts in the organization.
- allows the management account to have full control over what member accounts can do.
- invited accounts must approve enabling all features
- The Management account can apply SCPs to restrict the services and actions that users (including the root user) and roles in an account can access, and it can prevent member accounts from leaving the organization
- Member accounts can’t switch from All features to Consolidated Billing only mode.
Service Control Policies – SCPs
- Service Control Policies specify the services and actions that users and roles can use in the accounts that the SCP affects.
- SCPs are similar to IAM permission policies except that they don’t grant any permissions.
- SCPs are filters that allow only the specified services and actions to be used in affected accounts.
- SCPs override the IAM permission policy. So even if a user is granted full administrator permissions with an IAM permission policy, any access that is not explicitly allowed or that is explicitly denied by the SCPs affecting that account is blocked. for e.g., if you assign an SCP that allows only database service access to your “database” account, then any user, group, or role in that account is denied access to any other service’s operations.
- SCP can be attached to
- A root, which affects all accounts in the organization
- An OU, which affects all accounts in that OU and all accounts in any OUs in that OU subtree
- An individual account
- Organization’s Management account is not affected by any SCPs that are attached either to it or to any root or OU the master account might be in.
Whitelisting vs. Blacklisting
- Whitelisting and blacklisting are complementary techniques used to apply SCPs to filter the permissions available to accounts.
- Whitelisting
- Explicitly specify the access that is allowed.
- All other access is implicitly blocked or denied.
- By default, all permissions are whitelisted.
- AWS Organizations attaches an AWS-managed policy called
FullAWSAccess
to all roots, OUs, and accounts, which ensures the building of the organizations. - For restricting permissions, replace the
FullAWSAccess
policy with one that allows only the more limited, desired set of permissions. - Users and roles in the affected accounts can then exercise only that level of access, even if their IAM policies allow all actions.
- If you replace the default policy on the root, all accounts in the organization are affected by the restrictions.
- You can’t add them back at a lower level in the hierarchy because an SCP never grants permissions; it only filters them.
- Blacklisting
- The default behavior of AWS Organizations.
- Explicitly specify the access that is not allowed.
- Explicit deny of a service action overrides any allow of that action.
- All other permissions are allowed unless explicitly blocked
- By default, AWS Organizations attach an AWS-managed policy called
FullAWSAccess
to all roots, OUs, and accounts. This allows any account to access any service or operation with no AWS Organizations–imposed restrictions. - With blacklisting, additional policies are attached that explicitly deny access to the unwanted services and actions
AWS Certification Exam Practice Questions
- Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
- AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
- AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
- Open to further feedback, discussion and correction.
- Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
- AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
- AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
- Open to further feedback, discussion and correction.
- An organization that is currently using consolidated billing has recently acquired another company that already has a number of AWS accounts. How could an Administrator ensure that all AWS accounts, from both the existing company and the acquired company, are billed to a single account?
- Merge the two companies, AWS accounts by going to the AWS console and selecting the “Merge accounts” option.
- Invite the acquired company’s AWS account to join the existing company’s organization using AWS Organizations.
- Migrate all AWS resources from the acquired company’s AWS account to the master payer account of the existing company.
- Create a new AWS account and set it up as the master payer. Move the AWS resources from both the existing and acquired companies’ AWS accounts to the new account.
- Which of the following are the benefits of AWS Organizations? Choose the 2 correct answers:
- Centrally manage access polices across multiple AWS accounts.
- Automate AWS account creation and management.
- Analyze cost across all multiple AWS accounts.
- Provide technical help (by AWS) for issues in your AWS account.
- A company has several departments with separate AWS accounts. Which feature would allow the company to enable consolidate billing?
- AWS Inspector
- AWS Shield
- AWS Organizations
- AWS Lightsail
Hi Jayendra,
I think answer for Que-2 should be A and C (not B). AWS Organization helps in managing set of accounts centrally and in understanding the cost being incurred by the individual ‘Linked’ accounts.
Did I miss something?
Thanks,
Abhishek
A and B is right.. you can use scripting or console to automatically create accounts
Organization enables consolidated billing not analyze costs
Hi jayendra,
I agree Q2,
B. Automate AWS account creation and management
above option is wrong