{"id":1645,"date":"2019-01-24T23:59:43","date_gmt":"2019-01-24T23:59:43","guid":{"rendered":"http:\/\/wiki.thomasandsofia.com\/?p=1645"},"modified":"2019-01-27T12:44:08","modified_gmt":"2019-01-27T12:44:08","slug":"csap-aws-organizations","status":"publish","type":"post","link":"https:\/\/wiki.thomasandsofia.com\/?p=1645","title":{"rendered":"CSAP AWS Organizations"},"content":{"rendered":"<p><a href=\"http:\/\/wiki.thomasandsofia.com\/2018\/08\/20\/aws-certified-solutions-architect-professional-overview\/\" rel=\"noopener\">Main Menu<\/a><\/p>\n<h1>Menu<\/h1>\n<ul>\n<li>AWS Organizations<\/li>\n<li>Creating first AWS Organization &amp; SCP<\/li>\n<\/ul>\n<h1>AWS Organizations<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/13249216?start=0\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/13249216?start=0<\/a><\/p>\n<h2>Overview<\/h2>\n<p>This was a high level view.\u00a0 It did not dig deep into how to create policies or setup consolidated billing.<\/p>\n<p>AWS offers centralized <strong>policy-based<\/strong> management as well as the feature of consolidated billing for multiple AWS accounts through the feature of AWS Organizations<\/p>\n<p>There are two primary features of AWS Organizations<\/p>\n<ul>\n<li>Consolidated Billing Only<\/li>\n<li>All Features (Policy Restrictions)\n<ul>\n<li>Can even control the access permissions for child accounts<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Consolidated Billing<\/h2>\n<ul>\n<li>Can see total costs for each child account from the Master account.<\/li>\n<\/ul>\n<h2>Example of Policy Restrictions<\/h2>\n<ul>\n<li>The Organization (aka Master account) can deny the ability to disable CloudTrail in Account A (child account)\n<ul>\n<li>This includes Account A&#8217;s root account<\/li>\n<\/ul>\n<\/li>\n<li>The Organization can deny all S3 in Account B (child account)\n<ul>\n<li>Also includes the root account<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h1>Creating first AWS Organization &amp; SCP<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/13249218?start=0\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/13249218?start=0<\/a><\/p>\n<p>Requirements<\/p>\n<ul>\n<li>2 AWS Accounts\n<ul>\n<li>Master<\/li>\n<li>Child<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Process<\/p>\n<ul>\n<li>Master account\n<ul>\n<li>&#8216;AWS Organizations&#8217; &gt; [ Create organization ]<\/li>\n<li>Select &#8216;<strong>Enable all features<\/strong>&#8216; or &#8216;Enable only consolidated billing&#8217; &gt; [ Create organization ]<\/li>\n<li>To add a new account to the organization, click [ Add account ]<\/li>\n<li>Select to &#8216;<strong>Invite account<\/strong>&#8216; (pre-existing) or &#8216;Create account&#8217; (brand new)\n<ul>\n<li>Email or account ID: Enter the root email address or the account id of the existing account.<\/li>\n<li>[ Invite ]\n<ul>\n<li>If your Organization is newly created it may take up to an hour (per documentation) or several hours (reality) for it to initialize before you can invite new accounts.\u00a0 &#8220;<span style=\"color: #ff0000;\">You cannot add accounts while it is initializing. Try again later.<\/span>&#8220;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Child account\n<ul>\n<li>&#8216;AWS Organizations&#8217;.\u00a0 You will see the invitation to join.<\/li>\n<li>[ Accept ] &gt; [ Confirm ]<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Confirm the join was successful<\/p>\n<ul>\n<li>Master Account\n<ul>\n<li>Refresh the page and you will now see the new child account.<\/li>\n<\/ul>\n<\/li>\n<li>Child account\n<ul>\n<li>&#8216;Billing dashboard&#8217;.\u00a0 &#8220;Your account is now a member of an organization&#8221;<\/li>\n<li>In the next step, we&#8217;re going to disable S3 access on this account.\u00a0 Verify you currently have access to S3 at this time.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Adding Policies<\/p>\n<ul>\n<li>Master account\n<ul>\n<li>&#8216;AWS Organizations&#8217; &gt; Policies\n<ul>\n<li>FullAWSAccess policy is created by default<\/li>\n<li>[ Create policy ]\n<ul>\n<li>Policy name: S3Deny<\/li>\n<li>Description: &#8216;Deny all S3 Access&#8217;<\/li>\n<li>Choose overall effect: <strong>Deny<\/strong> or Allow<\/li>\n<li>Select service: Amazon S3<\/li>\n<li>Select action: All<\/li>\n<li>Click &#8216;Add statement&#8217;<\/li>\n<li>[ Create policy ]<\/li>\n<\/ul>\n<\/li>\n<li>Enable polices\n<ul>\n<li>&#8216;AWS Organizations&#8217; &gt; Organize accounts\n<ul>\n<li>Service control policies: &#8216;Enable&#8217;<\/li>\n<li>Click &#8216;Accounts&#8217; to return to the accounts screen<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Click the account to add the policy to &gt; &#8216;Service Policies&#8217;\n<ul>\n<li>S3Deny: &#8216;Attach&#8217;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Child Account\n<ul>\n<li>Log back in and see if you can still access S3.\u00a0 You should see &#8220;Error Access Denied&#8221;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Main Menu Menu AWS Organizations Creating first AWS Organization &amp; SCP AWS Organizations https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/13249216?start=0 Overview This was a high level view.\u00a0 It did not dig deep into how to create policies or setup consolidated billing. AWS offers centralized policy-based management as well as the feature of consolidated billing for multiple AWS accounts through the feature ..<\/p>\n<div class=\"clear-fix\"><\/div>\n<p><a href=\"https:\/\/wiki.thomasandsofia.com\/?p=1645\" title=\"read more...\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18,38],"tags":[],"class_list":["post-1645","post","type-post","status-publish","format-standard","hentry","category-amazon-web-services-aws","category-certified-solutions-architect-professional"],"_links":{"self":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/1645","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1645"}],"version-history":[{"count":5,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/1645\/revisions"}],"predecessor-version":[{"id":1655,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/1645\/revisions\/1655"}],"wp:attachment":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1645"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1645"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1645"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}