SlideShare a Scribd company logo

AWS Cloud organizations presentation

Download as PPTX, PDF
T
TATA LILIAN SHULIKA

This presentation covers topics on AWS Organizations meant to educate and prepare those taking the AWS SAA exams

Related slideshows

(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive
 
AWS Cloud trail
AWS Cloud trailAWS Cloud trail
AWS Cloud trail
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & Logging
 
1 of 11
AWS ORGANIZATIONS Lilian Shulika Tata
DEFINITION AWS organizations is an account management service that enables to consolidate multiple aws accounts into an organization that has been previously created. -AKA MANAGEMENT/MASTE R ACCOUNT • Identity Access Management (IAM policies): You can have better control over the roles and access you want to provide to your employees. You can create IAM groups and assign the roles required to perform a particular function. This will ensure better governance in your AWS account • Role-based Access Control: RBAC is a neutral access control system in an enterprise. RBAC can facilitate the administration of security policies of thousands of users at a time. • Cost management: Consolidated billing is the best cost management technique. You can manage and audit your expenses of all the accounts from one dashboard. In case you’re looking for further information about AWS costs, here’s a blog that talks about how AWS pricing works. • Effectively manage different cloud resources, servers, and storage.
COMPONENTS OF AWS ORGANIZATION S • Master Account: This can be your root account designated for managing your AWS infrastructure. It is the central account where your services are billed from. The Master Account is also the central management and governance hub. • Organizational Units (OU): This is a set of AWS accounts logically grouped within an organization. This can be best seen as a container of accounts within your root account. Multiple OUs can also be created under a single OU, making it a tree line structure. • Security Control Policy (SCPs): This document describes controls to be applied to a selected set of accounts. The policy defines the services and actions that users or a role can perform.
AWS ORGANIZATIONS USE CASES Global service • Allows to manage multiple AWS accounts • The main account is the master account – you can’t change it • Other accounts are member accounts • Member accounts can only be part of one organization • Consolidated Billing across all accounts - single payment method • Pricing benefits from aggregated usage (volume discount for EC2, S3…) • API is available to automate AWS account creation
MULTI ACCOUNT STRATEGIES • Create accounts per department, per cost center, per dev / test / prod, based on regulatory restrictions (using SCP), for better resource isolation (ex: VPC), to have separate per-account service limits, isolated account for logging • • Multi Account vs One Account Multi VPC • • Use tagging standards for billing purposes • • Enable CloudTrail on all accounts, send logs to central S3 account • • Send CloudWatch Logs to central logging account • • Establish Cross Account Roles for Admin purposes
AWS Cloud organizations presentation
AWS Cloud organizations presentation
SERVICE CONTROL POLICIES (SCP) • Whitelist or blacklist IAM actions • • Applied at the OU or Account level • • Does not apply to the Master Account • • SCP is applied to all the Users and Roles of the Account, including Root user • • The SCP does not affect service-linked roles • • Service-linked roles enable other AWS services to integrate with AWS Organizations • and can't be restricted by SCPs. • • SCP must have an explicit Allow (does not allow anything by default) • • Use cases: • • Restrict access to certain services (for example: can’t use EMR) • • Enforce PCI compliance by explicitly disabling services
AWS Cloud organizations presentation
SCP EXAMPLES BLACKLIST AND WHITELIST STRATEGIES
AWS ORGANIZATION – MOVING ACCOUNTS To migrate accounts from one organization to another 1. Remove the member account from the old organization 2. Send an invite to the new organization 3. Accept the invite to the new organization from the member account If you want the master account of the old organization to also join the new organization, do the following: 1. Remove the member accounts from the organizations using procedure above 2. Delete the old organization 3. Repeat the process above to invite the old masteraccount to the new org

More Related Content

AWS Cloud organizations presentation

  • 2. DEFINITION AWS organizations is an account management service that enables to consolidate multiple aws accounts into an organization that has been previously created. -AKA MANAGEMENT/MASTE R ACCOUNT • Identity Access Management (IAM policies): You can have better control over the roles and access you want to provide to your employees. You can create IAM groups and assign the roles required to perform a particular function. This will ensure better governance in your AWS account • Role-based Access Control: RBAC is a neutral access control system in an enterprise. RBAC can facilitate the administration of security policies of thousands of users at a time. • Cost management: Consolidated billing is the best cost management technique. You can manage and audit your expenses of all the accounts from one dashboard. In case you’re looking for further information about AWS costs, here’s a blog that talks about how AWS pricing works. • Effectively manage different cloud resources, servers, and storage.
  • 3. COMPONENTS OF AWS ORGANIZATION S • Master Account: This can be your root account designated for managing your AWS infrastructure. It is the central account where your services are billed from. The Master Account is also the central management and governance hub. • Organizational Units (OU): This is a set of AWS accounts logically grouped within an organization. This can be best seen as a container of accounts within your root account. Multiple OUs can also be created under a single OU, making it a tree line structure. • Security Control Policy (SCPs): This document describes controls to be applied to a selected set of accounts. The policy defines the services and actions that users or a role can perform.
  • 4. AWS ORGANIZATIONS USE CASES Global service • Allows to manage multiple AWS accounts • The main account is the master account – you can’t change it • Other accounts are member accounts • Member accounts can only be part of one organization • Consolidated Billing across all accounts - single payment method • Pricing benefits from aggregated usage (volume discount for EC2, S3…) • API is available to automate AWS account creation
  • 5. MULTI ACCOUNT STRATEGIES • Create accounts per department, per cost center, per dev / test / prod, based on regulatory restrictions (using SCP), for better resource isolation (ex: VPC), to have separate per-account service limits, isolated account for logging • • Multi Account vs One Account Multi VPC • • Use tagging standards for billing purposes • • Enable CloudTrail on all accounts, send logs to central S3 account • • Send CloudWatch Logs to central logging account • • Establish Cross Account Roles for Admin purposes
  • 8. SERVICE CONTROL POLICIES (SCP) • Whitelist or blacklist IAM actions • • Applied at the OU or Account level • • Does not apply to the Master Account • • SCP is applied to all the Users and Roles of the Account, including Root user • • The SCP does not affect service-linked roles • • Service-linked roles enable other AWS services to integrate with AWS Organizations • and can't be restricted by SCPs. • • SCP must have an explicit Allow (does not allow anything by default) • • Use cases: • • Restrict access to certain services (for example: can’t use EMR) • • Enforce PCI compliance by explicitly disabling services
  • 10. SCP EXAMPLES BLACKLIST AND WHITELIST STRATEGIES
  • 11. AWS ORGANIZATION – MOVING ACCOUNTS To migrate accounts from one organization to another 1. Remove the member account from the old organization 2. Send an invite to the new organization 3. Accept the invite to the new organization from the member account If you want the master account of the old organization to also join the new organization, do the following: 1. Remove the member accounts from the organizations using procedure above 2. Delete the old organization 3. Repeat the process above to invite the old masteraccount to the new org