Amazon AWS Certified SysOps Administrator Associate – AWS Account Management Part 3

6. AWS Organizations for SysOps

So, just a little bit of extra information regarding organizations for the sysaps exam. The first of all, you can enable what’s called Reserved Instances sharing in your organization. That means that all the accounts of your organizations will have access to all the Reserved Instances. And so that means that any account can use any other accounts, our eyes, and this is obviously for cost saving, but you may want to disable that for or any specific account, including the Payer account, in which case the Reserved Instances or even your savings plans will not be shared across accounts.

Okay, so this is something to note to setting. You have to turn on and off, but for having the Ri or the Savings plan discounts enabled between two accounts, then they must both have sharing turned on. The second thing is that using organizations, you can use a specific condition in your im policies called the AWS Principal. org ID to allow access from any im principles from all the accounts in your organization. So say you have an organization with a management account and two member accounts with different Im users. If you set up an extra bucket and you’re using the Bucket Policy, the AWS Principal orgID condition, then you’re giving access automatically to any user or any roles within your organization to this estra bucket.

So it’s a good way for you to not have to specify every individual account, but instead reference only the leading organization of your accounts. Finally, you can implement tag policies for your account. So, this is a different way to do some policies. So we’ve seen that there are service control policies but also tag policies. And this is to enforce tagging in your account.

So this is to standardize all the tags and the goal is to maybe audit tag resources, maintain proper resource categorization, so you define the tag keys and their allowed values. And obviously if you have cost allocation tags enabled, or if you do attribute based access controls, then this can be very helpful. And then regarding the non compliance of your tags, so it’s possible for you to generate a list that will show you all the non compliant resources and you can use CloudWatch events as well to monitor noncompliant tags if you needed to. So that’s it for organizations. I hope you liked it and I will see you in the next lecture.

7. [CCP] AWS Control Tower Overview

Now let’s talk about AWS control tower. So it is for you an easy way to set up and govern a secure and compliant multi account, a device environment based on best practices. So instead of doing everything manually, creating your organization and so on, and then applying security practices with Control Tower, you can, with a few clicks, create a multi account, a device environment. The benefit is that you can automate the setup of your environment in a few clicks. Clicks.

You can automate ongoing policy management using Guardrails. You can detect the policy violations’and, remediate them. You can monitor compliance through an interactive dashboard. And Control Tower is running on top of organizations. That means that it will automatically set up organizations for you to organize the accounts and it will implement SCP service control policies to make sure that the Guardrails are operating effectively. Will go see you in the next lecture for a demo of Control Tower.

8. [CCP] AWS Control Tower Hands On

Okay, so let’s talk about control tower. And Control Tower is a way to set up a multi accounts in this environment with the best practices and so such going to be automated setup. We’re going to have policy management and a dashboard for visibility. You don’t pay for Control Tower but you’re going to pay obviously for all the accounts and services that are enabled by Control Tower. So let’s go ahead and set up our landing zone. And a landing zone is a way to have multiple accounts. So there is shared accounts and there are three accounts that are according to control to our best practices. We’re going to have a master account to use your account email right now that you have and create the settings. And by the way, you don’t have to follow along this hands on because it’s going to be a lot of things that you probably don’t need, but I will do it just to demo it to you. Then we have a log archive account. So this is an account dedicated to receive logs and is best security practice to separate your master accounts and your log archive account.

So I can have and then an audit account. So I’m just creating different accounts for Control Tower and then for service permissions, we can learn more about permissions right here and you can learn more about guidance. And guidance is how you should manage your accounts once you’ve enabled Control Tower. So I’m not going to read this out to you, but if you do intend to use Control Tower in your enterprise, please read this guidance because they do provide very strong guidances around what you can and cannot do or what you should and shouldn’t do. And then where you’re happy, you say, yes, I’m happy and I set up my landing zone. And this is going to go ahead and set up all these different accounts on top of your organization to get you started with Control Tower.

So as you can see, the setup is going to take about 60 minutes and it’s going to take a long time. It’s going to set up two Ou, three shared accounts, a native cloud directory with pre configured group and single final access and 20 Preventative guardrails to reinforce policies and two detective guardrails to detect configuration violations. So a lot of things are being set up. I’m just going to wait a little bit until this is done.

Okay, so my landing zone is now available and it has set up two things. Two organizational units, three shared accounts with master accounts and isolate accounts for log archive and security audits. There’s a native cloud directory with single sign on access and I’ll show you this in a second. And then 20 preventive guardrails to enforce policies and two detective guardrails to detect configuration violations. So a lot of things was created using Control Tower.

And if I go to organizations right now I can show you right away what was created. So as we can see here, we have the three accounts already in my organization. And if I look to organize accounts, we see there’s custom and core organizational units. So in Core we have the audits and archive and in the custom we currently have no accounts. Okay, so we shouldn’t manage the accounts through organizations though we should every time manage the accounts through Control Tower.

And so here are some recommended actions. So add or register or use configure your confectory more garage Rails and review users and access and then review shared accounts. So a lot of things are happening here. In this dashboard we get also access to non compliant resources based on the rules that we have defined. We get some information around the registered Ou that have been created and whether or not they are compliant. That’s perfect. As well as all the enrolled accounts into my account. And for the guardrails, we can view all the guardrails right here like clicking on View Guardrails. And so here we get the information around all the rules that are enforced on Rouse. For example, desello the deletion of log archive. Obviously that makes a lot of sense.

Desselo public read, access to log archive and so on. Descello configuration changes to cloud trail, all these kind of things are excellent to have and are set up by Control Tower according to best practices. Okay, you could always create accounts right here. So you can do all the accounts here and then in the Ou you can go to your Ou and add an Ou if you wanted to. And here is the guardrails. The account factory is how you enroll in accounts into your control tower, which is great. Users and access. So this is how you manage the user access to your whole account sets.

So we have a single sign on right here and there is a user portal URL right here. And the way to handle user identity management right now is with single sign on, it’s a service by AWS. Shared accounts are here, landings on settings and so on. So as we can see, this is a full management suite for multiple accounts. And so if we go into the SSO portal, as you can see here, there’s a sign in button and then there’s a password that I have to share. So I’ll just use the password that I have right here that I’ve created from before and I sign in. And now I am into my SSO and I’m able to log into any of my three it is accounts. So we have the audit account, the Log Archive account, and the Stefan CCP account directly accessible from this UI.

So for example, if I want you to go to the audit, I can click here to go into the measurement console of this audit account or click here to get command line or programmatic access. So this is really really neat. And here we go. I am into my audit account right now. So it really shows you the power of Control tower. It’s not something that you would do on your own, obviously. And now that I’ve moved away from my accounts and then to rebuild my screen but this is to show you that yeah, it’s quite handy, I would say. So I’m just going to log in back into my TCP account. It’s quite handy to use Control tower in your account to set up multiple accounts are going to best practices and manage it from there. So if you are an organization that wants to have a multiple best practice set up, then please use Control tower. Okay, that’s it. I hope you like this lecture and I will see you in the next lecture.