AWS Organizations
- Global Service
- Allow to manage multiple AWS accounts
- The main account is the management account
- Other accounts are member accounts
- Can only be part of one organization
- Consolidated Billing across all accounts - single paymnet method
- Pricing benefits from aggregated usuage
- Shared reserved instances and Saving Plans discounts across accounts
- API is available to automate AWS account creation
- Advantages
- Multi Account vs One Account Multi VPC
- Use tagging standards for biliing purposes
- Enable Cloud Trail on all accounts, send logs to central S3 account
- Send CloudWatch Logs to central logging account
- Establish Cross Account Roles for Admin purposes
- Security : Service Control Policies
- IAM policies applied to OU or Accounts to restrict Users and Roles
- They do not apply to the management account
- Must have an explicit allow
Resource Policies & aws:PrincipalOrgID
- aws:PrincipalOrgID can be used in any resource policies to restrict access to accounts that are member of an AWS Organization
IAM Roles vs Resource Based Policies
- Cross account:
- attaching a resource-based policy to a resource
- OR using a role as a proxy
- When you assume a role, you give up your original permissions and take the permissions assigned to the role
- When using a resource-based policy, the principal doesn't have to give up his permissions
Amazon EventBridge - Security
- When a rule runs, it needs permissions on the target
- Resource-based policy
- Lambda, SNS, SQS, CloudWatch Logs, API Gateway
- IAM role
- Kinesis stream, Systems Manager Run Command, ECS task
IAM Permission Boundaries
- IAM Permission Boundaries are supported for users and roles (not groups)
- Advanced feature to use a managed policy to set the maximum permissions an IAM entity can get
- Can be used in combinations of AWS Organizations SCP
AWS IAM Identity Center
- Successor to AWS Single Sign-On
- One login for all your
- AWS accounts in AWS Organizations
- Business cloud application
- SAML2.0-enabled applications
- EC2 Windows Instances
- One login for all your
- Identity Providers
- Built-in identity store in IAM identity Center
- 3rd party : Active Directory, OneLogin, Okta
- Mircrosoft Active Directory
- Found on any Windows Server with AD Domain Services
- Database of objects : User Accounts, Computers, Printers, File Shares, Security Groups
- Centralized security management, create account, assign permissions
- Objects are organized in trees
- A group of trees is a forest
- Mircrosoft Active Directory
AWS Control Tower
- Easy way to set up and govern a secure and compliant multi-account AWS environment based on best practices
- AWS Control Tower uses AWS Organizations to create accounts
- Benefits
- Automate the set up of your environment in a few clicks
- Automate ongoing policy management using guardrails
- Guardrails
- Provides ongoing governance for your Control Tower environment
- Preventive Guardrail - using SCPs
- Detective Guardrail - using AWS Config
- Guardrails
- Detect policy violations and remediate them
- Monitor compliance through an interactive dashboard
'aws' 카테고리의 다른 글
| Amazon VPC (2) | 2024.04.19 |
|---|---|
| AWS Security & Encryption (1) | 2024.04.18 |
| AWS Monitoring, Audit and Performance (2) | 2024.04.14 |
| Machine Learning (1) | 2024.04.10 |
| Data & Analytics (1) | 2024.04.08 |