Governance

Question 1

AWS Organizations

Answer 1

• allow you to apply standards to multiple accounts
• allow you to set up Service Control Policies
• programmatic creation and destroying of AWS accounts
• can combine and share reserved instances
• can set up logging accounts
• consolidated billing (the primary account pays the bill)

Question 2

Logging accounts

Answer 2

an account whose sole purpose is to set up logs

Question 3

Service Control Policies (SCPs)

Answer 3

• applied to every single resource inside an account
• can restrict access to the root account*
• can override all other policies
• they never give you permissions - they only take away permissions

Question 4

How is “Allow” different in Organizations?

Answer 4

sets boundaries for which services a person can use

- if you want to use a service that’s not in the Allow list, you can’t

Question 5

How can you ensure logs are centralized and no one can edit or delete them?

Answer 5

use Organizations and SCPs to restrict anyone from making changes to them

Question 6

How can you set up a single account to hold all your logs?

Answer 6

Use Cloud Trail to point to the logging account that is set up in your Organization

Question 7

Resource Access Manager

Answer 7

a free service that allows you to share access with other accounts

Question 8

What does Resource Access Manager allow you to share?

Answer 8

• transit gateways
• VPC subnets
• license manager
• Route 53 resolver
• Dedicated Hosts

Question 9

If you want to share resources in the same region what should you use?

Answer 9

RAM

Question 10

If you want to share resources across regions what should you use?

Answer 10

VPC Peering

Question 11

Why would you want to share resources?

Answer 11

you don’t have to duplicate architecture

Question 12

What does Cross-Account Role Access do?

Answer 12

gives you the ability to set up temporary access you can easily control

• on exam it is preferable to create cross-account roles rather than additional IAM users

Question 13

Steps to set up cross-account role access

Answer 13

1) update IAM role
2) apply policy
3) assume role

Question 14

AWS Config

Answer 14

an free inventory management and control tool

• for enforcing standards across accounts*
• allows you to show the history of your infrastructure
• allows you to create rules to make sure your architecture confirms to best practices you’ve laid out

Question 15

Benefits of Config

Answer 15

1) can query resources
2) can even see deleted infrastructure
3) rules to flag when something breaks a rule
4) can show history of who did what
5) can cross-reference a change in CloudTrail
6) can roll up results to a single region

Question 16

Config for remediation

Answer 16

• can manually or automatically rememdiate rule breaks

- uses an automation document or Lambda

Question 17

Active Directory & Directory Service

Answer 17

A fully-managed version of Active Directory

- allows you to run AD in AWS without heavy setup

Question 18

Managed Microsoft AD (flavor of AD)*

Answer 18

the entire AD suite

Question 19

AD Connector (flavor of AD)*

Answer 19

AD runs on-prem

- creates a tunnel between AWS and your On-Prem

Question 20

Simple AD

Answer 20

standalone directory powered by Linux Samba AD-compatible server

Question 21

Cost Explorer

Answer 21

• visualize cloud costs
• can be predictive and estimate upcoming costs
• use tags to track spend

Question 22

What are ways to slice/dice data in Cost Explorer?

Answer 22

• can use resource tags as a filter
• can break down on a service-by-service basis
• can break down by timeframe

Question 23

AWS Budgets

Answer 23

allows organizations to plan and set expectations and alerts when you are close to hitting your monthly allocation.

• can alert you on current or projected spend
• send alerts using SNS, email, etc.
• can kick off actions when you hit a threshold.

Question 24

4 Budget types

Answer 24

1. Cost budget
2. Usage budget
3. Reservation budget
4. Savings Plan

Question 25

Trusted Advisor

Answer 25

a fully-managed AWS auditing solution

- free but you have to pay for a support plan to get the full benefit

Question 26

Examples of Trusted Advisor scenario

Answer 26

• No MFA on the root account
• public S3 buckets
• open ports on security groups

Question 27

Things Trusted Advisor can do

Answer 27

1. Cost Optimization
2. Performance
3. Security
4. Fault Tolerance
5. Service limits (set up alarms)

Question 28

What kind of alarms can Trusted Advisor do?

Answer 28

SNS or Email

Question 29

Trusted Advisor exam tips

Answer 29

• Focus on answers that have an automation component
• the most useful checks require Business or Enterprise support plan
• trigger events with Lambda to fix things using Event Bridge (Cloud Watch Events)