AWS Organizations
Owner | |
---|---|
Verification | |
Tags | |
Last edited time |
- Root > Management account > OU’s > member accounts - an OU can include an OU
OrganizationAccountAccessRole
is created for every member account that allows admin actions - need to manually create for accounts that are invited into the ORG
- Feature Modes:
- Consolidated billing: for volume discounts, RI’s - can turn off/on for specific account (must enable sharing on both account ) configure at the Cost and billing in the parent account
- All features (default) - Billing + SCP’s and invite accounts to the ORG - can’t revert
- to migrate account : remove > invite > accept
SCP - Service Control Policy
Define allowlist or blocklist IAM actions , applies at the OUAccount level - not management
must have explicit allow - SCPs do not affect any service-linked role
aws:TagKeys
condition key to validate the tags to a resource against an IAM policy,
ForAllValues
to match all keys,
ForAnyValue
to mach any key
Tag Policies - to standard tagging
Backup polices - define backup plan for the ORG
Service Catalog
Pre defined catalog of resources (CloudFormation templates) to deploy within an ORG.
Admins define Products (templates) that are grouped into Portfolio - control with IAM.
Users see Product list