Governance Flashcards
(29 cards)
AWS Organizations
- allow you to apply standards to multiple accounts
- allow you to set up Service Control Policies
- programmatic creation and destroying of AWS accounts
- can combine and share reserved instances
- can set up logging accounts
- consolidated billing (the primary account pays the bill)
Logging accounts
an account whose sole purpose is to set up logs
Service Control Policies (SCPs)
- applied to every single resource inside an account
- can restrict access to the root account*
- can override all other policies
- they never give you permissions - they only take away permissions
How is “Allow” different in Organizations?
sets boundaries for which services a person can use
- if you want to use a service that’s not in the Allow list, you can’t
How can you ensure logs are centralized and no one can edit or delete them?
use Organizations and SCPs to restrict anyone from making changes to them
How can you set up a single account to hold all your logs?
Use Cloud Trail to point to the logging account that is set up in your Organization
Resource Access Manager
a free service that allows you to share access with other accounts
What does Resource Access Manager allow you to share?
- transit gateways
- VPC subnets
- license manager
- Route 53 resolver
- Dedicated Hosts
If you want to share resources in the same region what should you use?
RAM
If you want to share resources across regions what should you use?
VPC Peering
Why would you want to share resources?
you don’t have to duplicate architecture
What does Cross-Account Role Access do?
gives you the ability to set up temporary access you can easily control
- on exam it is preferable to create cross-account roles rather than additional IAM users
Steps to set up cross-account role access
1) update IAM role
2) apply policy
3) assume role
AWS Config
an free inventory management and control tool
- for enforcing standards across accounts*
- allows you to show the history of your infrastructure
- allows you to create rules to make sure your architecture confirms to best practices you’ve laid out
Benefits of Config
1) can query resources
2) can even see deleted infrastructure
3) rules to flag when something breaks a rule
4) can show history of who did what
5) can cross-reference a change in CloudTrail
6) can roll up results to a single region
Config for remediation
- can manually or automatically rememdiate rule breaks
- uses an automation document or Lambda
Active Directory & Directory Service
A fully-managed version of Active Directory
- allows you to run AD in AWS without heavy setup
Managed Microsoft AD (flavor of AD)*
the entire AD suite
AD Connector (flavor of AD)*
AD runs on-prem
- creates a tunnel between AWS and your On-Prem
Simple AD
standalone directory powered by Linux Samba AD-compatible server
Cost Explorer
- visualize cloud costs
- can be predictive and estimate upcoming costs
- use tags to track spend
What are ways to slice/dice data in Cost Explorer?
- can use resource tags as a filter
- can break down on a service-by-service basis
- can break down by timeframe
AWS Budgets
allows organizations to plan and set expectations and alerts when you are close to hitting your monthly allocation.
- can alert you on current or projected spend
- send alerts using SNS, email, etc.
- can kick off actions when you hit a threshold.
4 Budget types
- Cost budget
- Usage budget
- Reservation budget
- Savings Plan
