1
00:00:00,000 --> 00:00:02,400
‫Now let's tackle a long section

2
00:00:02,400 --> 00:00:05,490
‫on Account Management, Billing and Support.

3
00:00:05,490 --> 00:00:09,030
‫And we will be starting with AWS Organizations.

4
00:00:09,030 --> 00:00:11,640
‫So it's a very simple service, it's a global service.

5
00:00:11,640 --> 00:00:14,400
‫And the idea is that by creating an organization

6
00:00:14,400 --> 00:00:17,960
‫you're able to manage multiple AWS accounts.

7
00:00:17,960 --> 00:00:20,600
‫The main account is going to be called the master accounts

8
00:00:20,600 --> 00:00:23,750
‫and all the other ones will be called child accounts.

9
00:00:23,750 --> 00:00:25,860
‫The cost benefits you get from using an organization

10
00:00:25,860 --> 00:00:28,040
‫is that you get consolidated billing.

11
00:00:28,040 --> 00:00:31,030
‫That means that all the accounts will be paid

12
00:00:31,030 --> 00:00:31,990
‫by just the master accounts.

13
00:00:31,990 --> 00:00:35,530
‫And so you will have one longer bill at the end.

14
00:00:35,530 --> 00:00:37,380
‫So you don't just set up as payment method

15
00:00:37,380 --> 00:00:39,150
‫for all the other accounts.

16
00:00:39,150 --> 00:00:41,850
‫The other thing is that you get pricing benefits

17
00:00:41,850 --> 00:00:43,480
‫from aggregated usage.

18
00:00:43,480 --> 00:00:46,820
‫So when you use a lot EC2, when you use a lot S3

19
00:00:46,820 --> 00:00:49,460
‫you get a discounts because you've used that at lots.

20
00:00:49,460 --> 00:00:50,910
‫And so if you have multiple accounts,

21
00:00:50,910 --> 00:00:53,810
‫you could lose that volume, but with an organization

22
00:00:53,810 --> 00:00:55,810
‫because the billing is consolidated

23
00:00:55,810 --> 00:00:58,111
‫the aggregated usage is as well consolidated.

24
00:00:58,111 --> 00:01:00,820
‫And that means that you get more discounts.

25
00:01:00,820 --> 00:01:03,970
‫Also, if you're using reserved instances, they're shared

26
00:01:03,970 --> 00:01:05,840
‫across all the accounts to make sure

27
00:01:05,840 --> 00:01:07,990
‫that if one account does not use a reserved instance

28
00:01:07,990 --> 00:01:12,050
‫another one can and again, maximize the cost savings.

29
00:01:12,050 --> 00:01:15,250
‫There's an API that is available to automate AWS account

30
00:01:15,250 --> 00:01:18,660
‫creation to do so automatically, which is very helpful.

31
00:01:18,660 --> 00:01:21,660
‫For example if she had some processes to create an accounts

32
00:01:21,660 --> 00:01:24,520
‫programmatically for someone, for example

33
00:01:24,520 --> 00:01:25,850
‫is a sandbox accounts.

34
00:01:25,850 --> 00:01:27,820
‫And then finally you can restrict account

35
00:01:27,820 --> 00:01:31,290
‫privileges using a Service Control Policy or SCP.

36
00:01:31,290 --> 00:01:33,510
‫And that is a common exam question.

37
00:01:33,510 --> 00:01:35,290
‫So all the things highlighted in bold

38
00:01:35,290 --> 00:01:37,638
‫in this slides are going to be common exam questions.

39
00:01:37,638 --> 00:01:40,370
‫And I'm gonna go a bit deeper on the organization.

40
00:01:40,370 --> 00:01:42,736
‫So you can have a multi account strategy in AWS.

41
00:01:42,736 --> 00:01:44,470
‫That means that you wanna create the accounts

42
00:01:44,470 --> 00:01:47,050
‫for example, per department per cost center, per

43
00:01:47,050 --> 00:01:50,630
‫environment, for example dev test and prod based

44
00:01:50,630 --> 00:01:51,810
‫on regular share restrictions.

45
00:01:51,810 --> 00:01:54,370
‫For example, if you don't want a service to be using

46
00:01:54,370 --> 00:01:57,230
‫an account you can use an STP or if you want to isolate

47
00:01:57,230 --> 00:01:59,412
‫the resources better you could have different VPC

48
00:01:59,412 --> 00:02:03,380
‫in different accounts and is also very good to have separate

49
00:02:03,380 --> 00:02:05,030
‫per account service limits

50
00:02:05,030 --> 00:02:07,650
‫and also isolated accounts for logging.

51
00:02:07,650 --> 00:02:09,650
‫So all of these could be multi account strategies is really

52
00:02:09,650 --> 00:02:12,400
‫up to each organization to choose what type

53
00:02:12,400 --> 00:02:13,760
‫of accounts they want.

54
00:02:13,760 --> 00:02:15,750
‫So the idea is that you have two options

55
00:02:15,750 --> 00:02:18,970
‫you can use Multi Accounts or One Account and Multiple VPC.

56
00:02:18,970 --> 00:02:20,840
‫That is a trade-off, I personally liked

57
00:02:20,840 --> 00:02:22,210
‫the multi account better.

58
00:02:22,210 --> 00:02:24,620
‫You can use tagging standards across all the accounts

59
00:02:24,620 --> 00:02:26,230
‫for billing purposes and we'll see billing

60
00:02:26,230 --> 00:02:27,800
‫in depth in the section.

61
00:02:27,800 --> 00:02:30,800
‫And you should enable CloudTrail on all the accounts

62
00:02:30,800 --> 00:02:33,520
‫send that the logs to a central S3 accounts.

63
00:02:33,520 --> 00:02:34,964
‫And also as well for the CloudWatch Logs

64
00:02:34,964 --> 00:02:38,158
‫you should send them all to a central logging accounts.

65
00:02:38,158 --> 00:02:40,090
‫So how can you organize your accounts?

66
00:02:40,090 --> 00:02:42,570
‫Well, you can organize them by business units, for example

67
00:02:42,570 --> 00:02:43,403
‫with a master account.

68
00:02:43,403 --> 00:02:46,780
‫And then we have the sales OU, we have the retail OU

69
00:02:46,780 --> 00:02:47,960
‫and the finance OU.

70
00:02:47,960 --> 00:02:50,608
‫And within each OU, so each organizational units

71
00:02:50,608 --> 00:02:52,630
‫you will have multiple accounts.

72
00:02:52,630 --> 00:02:55,730
‫Or you can organize them by environments, production,

73
00:02:55,730 --> 00:02:56,940
‫developments and tests.

74
00:02:56,940 --> 00:02:59,590
‫Or we can have them project-based, for example

75
00:02:59,590 --> 00:03:01,390
‫project one, project two, project three

76
00:03:01,390 --> 00:03:03,940
‫or a mix of all these things.

77
00:03:03,940 --> 00:03:05,920
‫Okay so an organization it looks like this.

78
00:03:05,920 --> 00:03:08,110
‫The Roots OU contains everything.

79
00:03:08,110 --> 00:03:09,700
‫It contains the master accounts

80
00:03:09,700 --> 00:03:11,400
‫and then you can create a different OU.

81
00:03:11,400 --> 00:03:14,130
‫So the Dev OU maybe with the two accounts in it.

82
00:03:14,130 --> 00:03:15,576
‫The Prod OU maybe with two accounts in it.

83
00:03:15,576 --> 00:03:18,590
‫And within the Prod OU you can also have different OU.

84
00:03:18,590 --> 00:03:23,590
‫So a Finance OU and an HR OU with their respective accounts.

85
00:03:23,940 --> 00:03:24,972
‫Oh, that makes sense.

86
00:03:24,972 --> 00:03:29,390
‫There's something called a Service Controlled Policy or SCP.

87
00:03:29,390 --> 00:03:33,240
‫It allows you to whitelist or blacklist IAM actions applied

88
00:03:33,240 --> 00:03:35,340
‫at the OU or account level

89
00:03:35,340 --> 00:03:37,370
‫but it doesn't apply to the master accounts.

90
00:03:37,370 --> 00:03:40,363
‫The SCPs have no effects on the master accounts.

91
00:03:41,400 --> 00:03:44,000
‫So the SCPs, we'll see an example of very shortly.

92
00:03:44,000 --> 00:03:48,010
‫They can be applied to only the users and the roles

93
00:03:48,010 --> 00:03:49,720
‫of the accounts, including the roots.

94
00:03:49,720 --> 00:03:52,270
‫So if you apply an SCP onto your account

95
00:03:52,270 --> 00:03:55,200
‫with an OU and you say you cannot use EC2

96
00:03:55,200 --> 00:03:58,190
‫even an admin within an account can not use EC2.

97
00:03:58,190 --> 00:04:01,430
‫But the SCP does not apply to service-linked role.

98
00:04:01,430 --> 00:04:03,730
‫So this is a service roles that other services

99
00:04:03,730 --> 00:04:06,220
‫use to integrate with organizations.

100
00:04:06,220 --> 00:04:09,690
‫Okay, SCP must have an explicit Allow to allow things.

101
00:04:09,690 --> 00:04:11,900
‫So by default, it does not allow anything.

102
00:04:11,900 --> 00:04:14,410
‫And so use cases for SCP and this is what the exam

103
00:04:14,410 --> 00:04:16,640
‫will test you on will be to restrict access

104
00:04:16,640 --> 00:04:17,480
‫to certain services.

105
00:04:17,480 --> 00:04:19,629
‫For example, you were saying, okay in my production accounts

106
00:04:19,629 --> 00:04:23,170
‫you cannot use EMR or to enforce PCI compliance

107
00:04:23,170 --> 00:04:25,910
‫by explicitly disabling services that are not compliant

108
00:04:25,910 --> 00:04:28,670
‫with PCI yet in AWS.

109
00:04:28,670 --> 00:04:30,130
‫So I'll try and make this a little bit clearer.

110
00:04:30,130 --> 00:04:32,100
‫Let's have a look at our OU.

111
00:04:32,100 --> 00:04:34,670
‫So we have the Root OU with a root accounts, a production OU

112
00:04:34,670 --> 00:04:36,780
‫with an account A in it and with an HR OU

113
00:04:36,780 --> 00:04:39,830
‫with account B and a Finance OU with account C.

114
00:04:39,830 --> 00:04:43,310
‫So let's assume that you usually do this on the Root

115
00:04:43,310 --> 00:04:46,500
‫OU you add an SCP called FullAWSAccess

116
00:04:46,500 --> 00:04:50,120
‫which tells that every services in every action can be done

117
00:04:50,120 --> 00:04:52,860
‫basically allowing you to use your accounts.

118
00:04:52,860 --> 00:04:57,000
‫But let's apply a DenyAccessAthena SCP

119
00:04:57,000 --> 00:04:59,300
‫onto Veet master accounts.

120
00:04:59,300 --> 00:05:03,440
‫Now what can the master it can do or cannot do?

121
00:05:03,440 --> 00:05:06,170
‫Well, the master accounts can do anything because

122
00:05:06,170 --> 00:05:10,320
‫it inherited the full alias access SEP from the root OU.

123
00:05:10,320 --> 00:05:13,520
‫And even though we have attached a DenyAccessAthena SCP

124
00:05:13,520 --> 00:05:16,880
‫to the master accounts because it is the master account

125
00:05:16,880 --> 00:05:19,410
‫of your root OU no SCP apply.

126
00:05:19,410 --> 00:05:22,470
‫And therefore this SCP replied to the master account

127
00:05:22,470 --> 00:05:25,410
‫is completely not taken into account.

128
00:05:25,410 --> 00:05:28,540
‫So to summarize, we've inherited stuff from the Root OU

129
00:05:28,540 --> 00:05:30,990
‫and the SCP applied to the master account

130
00:05:30,990 --> 00:05:33,630
‫to deny anything does not apply.

131
00:05:33,630 --> 00:05:34,600
‫Now, let's go on.

132
00:05:34,600 --> 00:05:38,013
‫We have a DenyRedshift SCP that is applied to the Prod OU.

133
00:05:38,920 --> 00:05:41,270
‫And an AuthorizeRedshift SCP applied

134
00:05:41,270 --> 00:05:42,690
‫it to the accounts A.

135
00:05:42,690 --> 00:05:45,330
‫So now about account A, it can do anything because

136
00:05:45,330 --> 00:05:47,350
‫you have full access SCP.

137
00:05:47,350 --> 00:05:49,510
‫But it cannot access Redshift because

138
00:05:49,510 --> 00:05:53,000
‫there's a DenyRedshift SCP applied to the Prod OU.

139
00:05:53,000 --> 00:05:56,530
‫And even though I would attach an AuthorizedRedshift SCP

140
00:05:56,530 --> 00:05:59,560
‫to my account A, because we have an explicit deny

141
00:05:59,560 --> 00:06:03,100
‫on Redshift at the OU level the deny is going to take

142
00:06:03,100 --> 00:06:05,240
‫precedence over the authorized.

143
00:06:05,240 --> 00:06:07,580
‫So even though I have this authorized Redshift SCP

144
00:06:07,580 --> 00:06:09,999
‫on the account A, actually that authorized is useless

145
00:06:09,999 --> 00:06:12,670
‫because we already have a deny at the OU level.

146
00:06:12,670 --> 00:06:13,503
‫So it's interesting

147
00:06:13,503 --> 00:06:15,360
‫for you to know that this is a full tree.

148
00:06:15,360 --> 00:06:19,160
‫And so account A is going to inherit the SCP at its level,

149
00:06:19,160 --> 00:06:21,550
‫at the OU level and even the roots of the OU.

150
00:06:21,550 --> 00:06:24,970
‫So it goes like a tree and so if one of these says deny,

151
00:06:24,970 --> 00:06:26,388
‫then it's going to be a deny.

152
00:06:26,388 --> 00:06:30,420
‫Now let's look at HR OU, it has a DenyAWSLambda SCP.

153
00:06:30,420 --> 00:06:32,510
‫And so what about account B?

154
00:06:32,510 --> 00:06:34,980
‫Well, it can do anything because of the full access

155
00:06:34,980 --> 00:06:37,490
‫but it cannot access Redshift because it's within

156
00:06:37,490 --> 00:06:40,330
‫the Prod OU is the bigger OU.

157
00:06:40,330 --> 00:06:42,290
‫And also it can not access AWS Lambda

158
00:06:42,290 --> 00:06:44,163
‫because it's within the HR OU.

159
00:06:45,160 --> 00:06:47,910
‫So accounts C though in finance OU is not affected

160
00:06:47,910 --> 00:06:50,640
‫by this DenyAWSLambda the SCP because only apply

161
00:06:50,640 --> 00:06:52,460
‫to the HR OU but not the finance OU.

162
00:06:52,460 --> 00:06:55,090
‫And therefore account C has the exact same information

163
00:06:55,090 --> 00:06:59,243
‫as account A which is to do anything but access Redshift.

164
00:06:59,243 --> 00:07:00,840
‫Hopefully that makes sense.

165
00:07:00,840 --> 00:07:03,020
‫If you understand this, you've basically understood SCP

166
00:07:03,020 --> 00:07:04,160
‫and their power.

167
00:07:04,160 --> 00:07:05,850
‫So let's take an example of what it looks like

168
00:07:05,850 --> 00:07:09,490
‫an SCP looks just like a IAM policy.

169
00:07:09,490 --> 00:07:13,270
‫So this is AllowALLActions, so we allow star on star.

170
00:07:13,270 --> 00:07:14,910
‫So this star you can do anything.

171
00:07:14,910 --> 00:07:18,080
‫But DenyDnynamoDB and we're saying the effect is Deny

172
00:07:18,080 --> 00:07:20,910
‫on dynamodb star for any resource.

173
00:07:20,910 --> 00:07:22,980
‫Another strategy would be to whitelist

174
00:07:22,980 --> 00:07:24,660
‫only a certain type of services.

175
00:07:24,660 --> 00:07:27,360
‫So we're saying allow ec2 star in CloudWatch star

176
00:07:27,360 --> 00:07:28,790
‫on resource star.

177
00:07:28,790 --> 00:07:31,140
‫But any other services but ec2 in CloudWatch

178
00:07:31,140 --> 00:07:32,500
‫cannot be usable.

179
00:07:32,500 --> 00:07:33,678
‫If you don't know exactly what this means

180
00:07:33,678 --> 00:07:35,620
‫or you want more examples, there's a link right

181
00:07:35,620 --> 00:07:37,230
‫here that takes you to the documentation

182
00:07:37,230 --> 00:07:41,050
‫and shows you different OUs, SCPs you can have.

183
00:07:41,050 --> 00:07:43,187
‫So that's it for organizations, I hope you liked it.

184
00:07:43,187 --> 00:07:45,890
‫And in the next lecture I'm going to do an optional

185
00:07:45,890 --> 00:07:48,320
‫walk-through organization, it's a bit more complicated.

186
00:07:48,320 --> 00:07:51,310
‫So I would just recommend if you just want to, to just watch

187
00:07:51,310 --> 00:07:54,580
‫me do and see how I use organization to demonstrate

188
00:07:54,580 --> 00:07:56,670
‫the creation of accounts and to demonstrate

189
00:07:56,670 --> 00:07:58,209
‫as well the use of SCP.

190
00:07:58,209 --> 00:08:00,040
‫So hope you like this and I will see

191
00:08:00,040 --> 00:08:02,030
‫you in the next lecture.