Amazon AWS Certified Security Specialty – Domain 4 – Identity & Access Management part 1

1. Understanding AWS Organizations

Hey everyone and welcome back. In today’s video we will be discussing about AWS organizations. Now, AWS organizations is one of the service that I would really recommend that you should implement specifically when you are having multiple AWS accounts. So let’s go ahead and understand more about organizations. So AWS organization basically offers policy based management as well as the feature of consolidated billing. So there are two primary features of AWS organization. One is the consolidated billing and second is generally call as all features where you can even control the access related permissions for the child account through a central AWS organizations account. So we’ll discuss about each one of them. So let’s first discuss about these policy based controls, the policy based management of organization.

So within here you have an AWS organization. So this is basically an AWS account where the organization is running. Now from this central AWS account to the AWS account one you are setting a policy which is basically denying the disable of cloud trail. So no one from the AWS account one will be able to disable the cloud trail log, not even the root account. Now, in the second AWS account you have another policy called deny all S three. So any user on this account, AWS account too will not be able to see any feature of S three that would include the root account. So this is what the policy based restriction is all about. So let’s look into the practical aspect and I’ll give you an overview demo on how exactly it would look like.

Before we start with the practice, I just like to make sure that this central account is also referred as Master account. And these accounts where the policies have been applied, they are also referred as the child account. So in case when I speak about master and child account just I hope you understand what the master account is and what the child account is. Now, I am in my AWS organizations console. So this is the console of the Master account. Now there are two accounts which are linked over here. Within the second account, if you will see, this is the account ID. Now within the policies section, if I’ll just expand it, there are two policies which are attached. One is full AWS access and second is deny. So deny, this deny policy basically denies all the S three operations.

So basically what we have done is if we would look into the PPT, let’s assume that this is the account where we have added a deny all S three policy. So let me log into that account. So this is the account, this is the chat account and if you will see over here it is showing the master account email address and basically it is also showing the organization ID. So basically I am part of this master account organization. So if I’ll go back to the AWS console, basically I am logged in as root. So if I’ll quickly show you, if I’ll quickly go to my security credentials, you would see that I am actually logged in as a root user. So this is the root user with which I am logged in.

Now, since we through the organization, we had added an explicit S Three deny policy. Let me go ahead and open up S Three, and if you’ll see it is showing you access, then I so even with the root user, you will not be able to bypass the control policies which have been set by the AWS organization. So apart from S Three, I should be able to see all the things, but since the S Three policy is added, I’ll not be able to do that. Even the route or even the administrator user will not be able to bypass the policies which have been set by the Master AWS Organization account to the various child account. Now, the second feature, we were already discussing about this, so if I quickly go here, the next feature is the consolidated billing.

So consolidated billing, again, it can be set through the AWS Organizations. Now, I have already enabled consolidated billing, so if I quickly show you that part as well. So this is my billing dashboard. If I’ll go to the consolidated billing, it says that your account is now a member of an organization. So basically, I am already having a consolidated billing enabled. So if you quickly want to see from my Master account so this is my Master AWS Organizations account. If I’ll go to my billing dashboard and within this I’ll go to the bills. And let me just select any, just the last month, which was May, and within bills by the account, you would actually see that there are two bills for two accounts.

Now, I already have the similar name in both the accounts since both of them belong to me. However, within bill by account, you would actually see that there are two accounts that have been reflected. Now, along with that, if I quickly go to June, let me go to June and build by the account, you would see one account has $0. 0 and the second account has $0. 1. So this $0. 1, this belongs to my current account, which is my Master account. So you see 0. 1. However, the $0. 0 actually belongs to the child account. So since both of these are part of the consolidated billing family, you would actually see both of these accounts within the billing dashboard.

2. AWS Organizations – Practical

Hey everyone and welcome back. In today’s video we’ll look into how we can implement AWS organization and its associated features. So in order to implement, as we have discussed, that there will be two accounts that would be needed. So this account, which is basically running in my Firefox is will consider this as a Master account. And I have one more account which is is running in Google Chrome and we’ll consider this as a child account. So I’ll go to the support center so that we know the account number in the child account. So from the Master account, the first thing that you will need is you have to click on AWS Organizations and this will take you to the organization console.

Now within here you can go ahead and click on Create Organization and there are two features that you will get. One is enable consolidated billing only and second is enable all the features. So if you just want to have consolidated billing, this is the feature that you would select. If you want all the features which would include consolidated billing, it would also include policy based control. Then you should enable all features. So this is the feature that we will be enabling right now. So once I select this, I’ll go ahead and I’ll click on Create Organization. Perfect. So once the organization is created, you would see that this is the default account which gets added. So this is basically my current account.

So we’ll consider this as the Master account. Now for the account that we want to enable consolidated billing or even policy based features, we need to add them with the Add account button. Now within this there will be two options which will be available. One is the Invite account and second is Create an account. So since we already have an AWS account which is created, I’ll go ahead and I’ll click on Invite account. Now within this you have to put the account ID of the AWS account that you want to invite as part of the organization. Now I already have the account ID. Now one important part to remember is that if your AWS organization is newly created, it takes a certain amount of time for it to be initialized. So generally the documentation states that you should at least wait for an hour.

I have seen a lot of people who have actually waited for more than 24 hours and at the end they had to contact the support. So there were certain issues related to the initialization part of AWS organizations. So let’s just try it out. If I am able to invite right away and you see it is basically giving an error saying that you cannot add accounts to your organization while it is initializing, try again later. So we’ll have to wait for a certain amount of time. What I’ll do, I’ll try and wait for an hour and then I’ll pause the video for now and then we’ll resume it after a certain amount of time. So it has been around four to 5 hours and I already recorded four to five more videos post which we are rerecording this specific step. So now I have put the account and I have clicked on invite.

So do remember that that initialization stage will take a lot of time. All the documentation states that it will take around 1 hour. In reality it takes a lot of time but that is just one time that is needed. Anyway, so once you have sent the invite so I’ll go to my Chrome browser and from here I’ll go to AWS organizations and within the organizations you would see that I am having one invitation. This invitation is based on Enable all features. So if it is genuine you can go ahead and click on Accept and I’ll select Confirm. Perfect. So once you have confirmed, basically it will show you the organization ID. And from your Master account if you refresh the page there should be one more account that should be visible. So this is the child account that is visible within the Master organization page.

Now if you go to the child account and if you go inside the billing, let’s go to the billing dashboard and within the consolidated billing basically it should say that your account is now a member of an organization. So basically the consolidated billing has been enabled and the second thing that we were speaking about is the policies. So we had discussed on how we can control the permission of child account even if it is a root user who is logged in into the child account. So let’s go ahead and try that out. So from the Master account I’ll click on Policies and by default there is a full AWS access policy which is created. So let’s go ahead and create a custom policy.

The policy name would be S Three Denied and the overall effect that we would like is the denial. Now the service that we would be looking forward for is Amazon S Three and the actions I’ll select all and I’ll click on Add Statement. So this would basically deny all the access. So I’ll just put it deny All S Three operations so that it would become clear. I’ll go ahead and I’ll click on Create a policy perfect. So now the policy has been created. So if you go back to the accounts if you just click on an account it basically says to attach a policy you must first enable that policy type in the route. So what you’ll have to do, you’ll have to go to organize accounts, enable the service control policies perfect.

So now the service control policies have been enabled. So now once you are back to accounts now you will see that there are two policies which are present. One is full AWS access. So this is the default policy and second is S Three design. So before we actually try it out, before we attach this policy, let’s check whether we are actually being able to access the S Three service. So I’ll go to my child account, I’ll go to S Three, and currently I am able to see all the S Three buckets as usual. So basically, I am logged in as a root account, so I’ll have full permission. So now, within the organization, I’ll attach this S Three deny. So once this S Three deny policy has been attached, now the access to the S Three would be completely denied. So in order to try that out, let me open up S Three again.

And now you see, it is saying that error access denied. So this error is actually coming even though I am a route. So even a root user in the child account will not be able to perform the operation if there is a policy attached through the AWS organization. So this is a pretty interesting service. I hope you understood the power that the AWS organization has. You can do a lot of things like you can have policies which would disallow anyone to disable Cloud Trail and various others which will help you in having an overall security within the AWS environment. So this is it. About the practical lecture of AWS Organization I hope this video has been useful for you and I really hope that you will implement AWS Organization within your environment. So this is it. I hope this has been informative for you and I look forward to seeing you in the next video.

3. Organizational Unit (OU) in AWS organization

Hey everyone and welcome back. Now in today’s video we will be discussing about Ous in AWS organization. Now, we already know about the service control policies and how we can attach the SAPS to the individual A device account. So in this diagram we have a deny on disable of cloud trail which is attached to AWS account one and deny all on the S three for the AWS account too. Now, although this seems to be good, but many organizations have hundreds of AWS accounts. So in such cases you cannot go ahead and attach a specific policy to hundreds of AWS account. It will simply take a lot of time. And tomorrow if you write another SAP, you again have to attach manually to each and every AWS account.

So what you make use of is you make use of grouping. So what you do, you create a group. So you have two groups over here and you add your AWS accounts to those groups. So those groups here is called as the organizational unit. Now, in this development Ou, you see that there are three AWS accounts which are attached and in the production Ou also there are three AWS accounts which are attached. Now, whatever SCP policies that you write, you can directly attach those policies with the Ous. Now, once you attach it with the Ou, all the AWS accounts which are part of the Ou will be restricted based on the SAPS that you have attached to the Ous. All right? So that is what the organizational units are.

Now, to understand it in a better way, the first thing, so you have an AWS organization. Now you have the root Ou. So root Ou comes by default. Now within here, you go ahead and you can create multiple Ous. So you see, you have one Ou here, and to this Ou you have a set of AWS accounts. Now you can add one more Ou and you can attach more AWS accounts here. And the policy, these are the SCPs and these SCPs are attached to the Ou. You can directly attach it to the Ou. You can also attach it to the AWS accounts that we have already seen. So this is a three like structure and you can design your Ou depending upon the requirement. So let’s do one thing, let’s quickly go into the AWS organization and look into how exactly this might look like.

So I’m in my organization console, let’s go to the organized accounts here. And currently there are two accounts which are part. Now, there are no organizational unit which are custom defined here. So let’s do one thing, let’s go ahead and create a new organization unit, let’s call it as production Ou. I’ll go ahead and I’ll create this Ou, all right, now if you see over here, this production Ou is under root. Now, this is very similar to what we were discussing. You have a root Ou which comes by default and then you can have multiple custom created Ous. So you have the first custom created Ou call as production Ou. Now, inside an Ou, you can attach multiple accounts. So correctly we have this testing account here. You can select the account, you can go to move and you can select the production Ou.

All right? So now this specific account is now part of the production organizational unit. So under the production if I go, you have this specific testing account which is available now inside production. Also, you can further classify let’s call it as banking infra. All right, so this banking infra is under the production Ou. This is very similar to what we are discussing, where you have a tree like structure, where you have one Ou. In our case, this is a production Ou, and then you can also have multiple Ous like banking, payment gateway, et cetera. So this is one thing which is possible. Now, coming back to the policies here, I have multiple policies which are currently created. Now, as we were discussing in the previous diagram, we can attach the policies directly to the Ou instead of the individual AWS account.

So if I click on the policy and if you look into the organizational unit, it says that this policy is not attached with any Ou. Now, in order to attach a specific policy to an Ou, let’s go to the Ou here. Now, currently the policies are not enabled, so you can go back to the root Ou and you can enable the service control policies. Great. Once you have done that, you can go back to your specific Ou and within the service control policies, you can go ahead and attach or detach any SAP that you intend to. So let’s say I want to attach a cloud trail policy. I can go ahead and do attach. All right, so now this cloud trail policy is associated with the production Ou, and all the AWS accounts which are part of the production Ou will receive the permissions which are part of the cloud trail policy.