Flashcards in AWS Account Management Deck (50)
What is a standard AWS account?
A standalone AWS account with no linked accounts and no parent account relationships.
How many master accounts can there be per AWS Organization?
How do you create a master account?
You convert a standard account to a master account.
Once you have a master account, what are the other accounts known as which are linked to the master account?
What is the account structure of accounts in an AWS Organization?
What is the root container, when is one created, and how many can there be?
- The root container contains, directly or indirectly, all accounts below it.
- It's created when your AWS Organization is created.
- There can only be one root container.
What happens to when a policy is applied to the root container?
The policy is propagated to all OUs and member accounts contained by root.
What is an Organizational Unit? Why is it useful?
- An OU allows you to group multiple accounts under it.
- It's useful because much like the root account, attaching policies at the OU level allows those policies to propagate to all member accounts contained by it.
What two entities can OUs contain?
- Member accounts
- Other OUs.
What two modes can AWS Organizations operate in?
- Consolidated billing
- All features
What is the default mode for AWS Organizations?
What does Consolidated Billing mode allow? What other aspects of AWS Organizations functionality is available with Consolidated Billing?
Consolidated billing _only_ allows for all bills to trickle up to the master (payer) account, which therefore generates only one bill per month. No other functionality is available.
How do AWS Organizations and AWS volume discounts interact?
With AWS Organizations, the usage of all accounts under the master account is considered for volume discounts. This makes volume discounts much easier to trigger.
What does All Features mode add to Consolidated Billing mode?
All Features allows service control policies at the Root and OU level to propagate downwards.
There are two ways to bring an account into an AWS Organization. What are they?
- Invite account, or
- Create account.
What steps are required for a master account to gain access to a member account after the member account has been added to the Organization?
None. An IAM Role is created to provide full admin access to the member account.
What's the best way to access a member account from a master account? What information is needed?
Use the switch role functionality for Organizations at the master account. You'll need the account number and the Role name which was created when the account joined the Organization (as well as providing a name alias and color for your reference).
What is the effect of a service control policy (SCP) on the master account in an Organization?
- It DOES NOT affect the master account, but
- IT DOES trickle down to child accounts.
Best practice for using the master account involves the usage of specific services, users, and billing. What is that best practice?
- NO services.
- Centralized billing.
- User store.
Service Control Policies (SCP) restrict access to IAM users on child accounts. Does it restrict access to root users on child accounts?
What's the best way to think of the interaction of multiple SCPs?
Overlays. Only the permissions common to all engaged SCPs will be effective for the member account in question.
What are the four support plans available for AWS accounts?
Basic, Developer, Business, and Enterprise.
Which support plans provide access to the full set of Trusted Advisor checks?
Business and Enterprise only.
How many Trusted Advisor checks does the Developer support plan provide access to?
During what times, via which media, and with how many customer-side contacts, can AWS account owners looking for support under the Developer plan request support?
Business hours only.
Email contacts only.
One (a primary contact only).
During what times, via which media, and with how many customer side contacts, can AWS account owners looking for support under the Business or Enterprise plan request support?
- 24/7 contacts.
- Email, phone, and chat.
- Unlimited contacts.
What kind of architectural guidance is available to AWS account holders:
- on the developer plan?
- on the business plan?
- on the enterprise plan?
- General guidance only.
- Contextual to your use cases
- Consultative review and guidance based on applications
Which AWS support levels provide programmatic access to the AWS Support API?
Business and Enterprise.
What access to proactive support programs do Business support members have access to?
Paid access to Infrastructure Event Management (IEMs)
What access to proactive support programs do Enterprise support members have access to?
IEMs, WARs, Operational Reviews, TAMs to coordinate access to SMEs.
Which support plan comes with access to a dedicated technical account manager?
What are the monthly minimum price points for Developer, Business, and Enterprise support plans?
- Developer: $29/mo
- Business: $100/mo
- Enterprise: $15,000/mo
What does AWS Config do, at a high level?
Tracks the configuration of resources (and changes to those configurations over time) within an AWS account.
What two main functions does AWS Config perform?
- Monitors configuration and drift of resources over time
- Checks resources against compliance requirements
Is AWS Config a global service?
How can AWS Config be configured?
What AWS tool can be used to evaluate changes over time to an AWS resource?
What does an AWS Config Rule do?
It allows AWS Config to evaluate the current state of any given AWS resource and determine whether that resource is in compliance with the Rule.
What does AWS Service Catalog do, and what functionality does it provide?
AWS SC allows you to implement an IT service catalog within AWS. It provides a curated list of all the services a department can provide to an end user.
What customer demographic is AWS Service Catalog aimed at?
How does AWS Service Catalog allow you to describe available services to end users?
- Items in the catalog
- Steps necessary
- Cost to the end user
- SLR to perform the requested service
What is a Product in the AWS Service Catalog?
It's the 'thing' that you want an end user to be able to request from your organization.
What is a Portfolio in the AWS Service Catalog?
A collection of Service Catalog Products which are available to end users.
What's the minimum number of Products allowed in an AWS Service Catalog Portfolio?
What functionality does a AWS Service Catalog Portfolio provide?
- Lists products
- Defines permissions
- Defines constraints
- Allows end users to launch products
How does the AWS Service Catalog allow an end user to provision a Product?
- User selects the product in the portfolio
- Admin's CloudFormation template is used to build the stack
- Stack is assigned a Role giving it permissions to build all assets on behalf of the end user inside the AWS account.
How can end users gain access to an AWS Service Catalog Portfolio?
By Group, User, or Role, or by sharing with other AWS accounts.
What four Constraint types are available to AWS Service Catalog portfolios? What is the effect of each?
- Launch: assign an IAM role to the product when it launches.
- Notification: Allows the product to stream notifications to an SNS topic.
- Template: Limits the options available to an end-user after launching the product.
- StackSet: Configure deployment options across accounts and regions.
Is Service Catalog a global, per-region, or per-AZ service?