04-AWS SAA-C03 Exam Guide
2 min readJan 6, 2024
AWS Organisation and Control Tower
AWS Organisation
- AWS Organisations allow you to consolidate multiple AWS Accounts into an organisation you create and manage centrally.
- Available in two feature sets:
— Consolidate Billing
— All features - Including root accounts and organisation units
- Policies are applied to root accounts or OUs
- Consolidate billing includes:
— Paying Account: Independent and can’t access resources of other accounts.
— Linked Accounts: all link accounts are independent
Consolidate Billing
- Single payment method for all the AWS accounts in the organisation
- Combined view of charges incurred by all your account
- Pricing benefits from aggregated usage
- Limit of 20 linked accounts for consolidated billing (default)
- Can help cost control through volume discounts.
- Unused reserved EC2 instances are applied across the group
- The paying account should be used for billing purposes only
Service Control Policies
- Manage the maximum available permissions
- Must have all features enabled in the Organisation
- Can be applied to accounts or OUs
- Policies can be assigned at different points in the hierarchy
- SCPs only affect IAM users and roles — not resource policies
- SCPs affect the root account in the member account
- SCPs don’t affect any action performed by the management account.
- Deny list strategy:
— Usage the FullAWSAccess SCP
— Attached to every OU and account
— Overrides the implicit deny
— Explicitly allows all permissions to flow down from the root
— Create additional SCPs to explicitly deny permission - Allow list strategy:
— FullAWSAccess SCP is removed
— No APIs are permitted anywhere unless you explicitly allow them
— Create SCPs to allow permissions
— SCPs must be attached to the target account and every OU above it including root
AWS Organisation — Migration
- Accounts can be migrated between organisations
- You must have root or IAM access to both the member and management accounts
- User AWS Organisation console for just a few accounts
- Use the AWS Organisation API or AWS CLIif there are many accounts to migrate
