AWS : Solutions Architect Professional Exam — Part 1
A Quick Review to Design for Organizational Complexity
Part 1 : Design for Organizational Complexity (12.5% of exam)
- Cross-Account Authentication
- Multi-Account environment using AWS Organization
- Network & Security
1 — You have multiple AWS accounts with multiple IAM users which launch different types of EC2 instances every day. Because most instances are untagged, it is difficult to identify the owner of these instances and verify if they are safe to terminate.
To solve this, your company has set a new protocol which requires adding a pre-defined set of tags before anyone can launch their EC2 instances.
What is the simplest way to implement this new requirement ?
- Configure AWS Organizations to group different accounts into separate Organizational Units (OU) depending on the business function.
- Create a Service Control Policy (SCP) that restricts launching any AWS resources without a tag.
- Apply the SCP to the OU which will automatically cascade the policy to individual member accounts.
https://aws.amazon.com/premiumsupport/knowledge-center/iam-policy-tags-restrict/
2 — You are planning to use a third-party web application that needs to access certain AWS resources. You have to ensure that the credentials used by the third-party vendor cannot be used by any other third party. The third-party vendor has already provided you a unique customer ID and their AWS account number.
How would you fulfill this requirement ?
- Create a new IAM role for the 3rd-party vendor.
- Add a permission policy that only allows the actions required by the third party application.
- Add a trust policy with a Condition element for the External ID to ensure that it matches the unique customer ID from the 3rd party vendor.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html
3 — A company has multiple AWS accounts in multiple AWS regions across North America, Europe, and Asia. You were instructed to set up AWS Organizations to centrally manage policies and have full administrative control across the multiple AWS accounts of the company.
As the Solutions Architect, how can you achieve this requirement ?
- Setup AWS Organizations by sending an invitation to all member accounts of the company from the master account of your organization.
- Create an OrganizationAccountAccessRole IAM role in the member account and grant permission to the master account to assume the role.
4 — A company has several AWS accounts that are managed using AWS Organizations. The company created only one organizational unit (OU) so all child accounts are members of the Production OU.
The Solutions Architects control access to certain AWS services using SCPs that define the restricted services. The SCPs are attached at the root of the organization so that they will be applied to all AWS accounts under the organization.
The company recently acquired a small business firm and its existing AWS account was invited to join the organization. Upon onboarding, the administrators of the small business firm cannot apply the required AWS Config rules due to SCP restricted.
What solution will allow the administrators to update the AWS Config rules without changing current system ?
- Remove the SCPs on the organization’s root and apply them to the Production OU instead.
- Create a temporary Onboarding OU that has an attached SCP allowing changes to AWS Config.
- Add the new account to this temporary OU and make the required changes before moving it to Production OU.
Note — Any attachments of SCPs to AWS Organizations entities from before SCPs were disabled are lost and aren’t automatically recoverable, although you can manually reattach them.
AWS strongly recommends that you don’t attach SCPs to the root of your organization without thoroughly testing the impact that the policy has on accounts. Be sure that you don’t accidentally lock users out of key services.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
5 — A company structured their AWS accounts to use AWS Organizations, which consolidates payment of their multiple AWS accounts for their various Business Units (BUs). One of BUs has purchased 10 Reserved Instances for their new application. However, they do not want their Reserved Instance discounts to be shared by the other BUs.
What is the most suitable solution for this scenario ?
Turn off the Reserved Instance (RI) sharing on the master account.
Note — For billing purposes, the consolidated billing feature of AWS Organizations treats all the accounts in the organization as one account. By default, This means that all accounts in the organization can receive the hourly cost-benefit of Reserved Instances that are purchased by any other account.
The member account cannot turn off RI sharing on their account by themselves, only master account can.
https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/ri-turn-off.html
Related Articles
- AWS Solutions Architect Professional Exam — Part 1
- AWS Solutions Architect Professional Exam — Part 2
- AWS Solutions Architect Professional Exam — Part 3
- AWS Solutions Architect Professional Exam — Part 4
- AWS Solutions Architect Professional Exam — Part 5
