Amazon AWS SysOps – AWS Account Management part 2

4. AWS Organizations Hands-On

Okay, so let’s create our first organization and invite our child accounts. So I’m going to go to AWS organization and for this exercise I have created a new account called Aid of coursemaster, and this will be the Master account of my new AWS organization. So I’m going to create an organization and it says okay, I’m happy to create an organization that has a single payer and sends utilize cost tracking that allows me to create and invite accounts, allows me to apply policy based controls, and also helps me simplify organization wide management of AWS services. Alternatively, we could create an organization that only has consolidated billing features but no other features such as scp.

And so we don’t want that, we want to create a fully featured organization. So we’re going to click on this big blue button. Okay, so now our organization is being created and so for this you need to verify your Master account. So I’m going to go ahead to my email and verify my Master account right now. And so I have just clicked the email link and now I am on this page which now says that my email address has not been verified. So now I can invite existing Ellis accounts to join our organization. So we can see right now we only have one account, it has a star. So it is the Master account and it’s named because I named it in this course Master. And now we’re going to go ahead and click on Add accounts.

Now when we under add an account we have two options. The first one is to invite an existing account to join our organization. Or the second one is to create a brand new account in this organization. So because I already have created another account in parallel, I’m going to just invite that account to join my organization. So I click on this and then I have to specify the email or account ID. So Awschild account@stephanmerick. com and this is the root accounts email for my child account which is in this tab right here. And so I’m going to click on Invite and then an email should be sent out to add this account. So as we can see right now on the invitations tab, on the right hand side there is an open invitation and we’re good to go.

Now I just received an email and so into my travel accounts, I’m going to go to the organization service, so I’m going to go to the same service and hopefully from there I should start seeing an invitation request from my Master account. So as we can see there’s an invitation on the bottom left, right here, invitations one. So I’m going to click on it and it says okay, you have been invited by the Master account name in this course master with this Master account email and the request controls is to enable all features. So that means that on top of consolidated billing there will be a way to enable the service control policies or scp. So this makes sense, I want to accept it and I’m going to confirm that this is the organizations that I want to join.

Great. So now my account belongs to this organization and we’re good to go. So if I click on organizations now, this is the only thing I see. Now if I go to my master account and refresh this page, you should be seeing the fact that we have two accounts in here we have the Master account, it is Course Master and we have the Child account, it is Course Child, and both these accounts are joined into the same organization. There is only one star because we only have one master account, which is the account that manages the entire organization. So that’s the first step. And it’s great we have allowed two accounts to be in the same organization.

But now let’s have some fun and go to the organized accounts. So in here we are able to create different ous or organizational units to organize our accounts into. And so the first unit we have by default is the root ou. So Root is on the left hand side and it is going to be the top most ou. And so what I can do is I can create a new ou within root, and I call this one maybe Dev. So we can have all the dev accounts. I’m going to have one called Test. We have the test accounts and then I can create another one called Prod for the production accounts. But it’s up to you to define the ous you want. And so as you can see now we have def Test and Prod. And maybe within Prod you can go ahead and add more ous.

So you could have HR for the HR related accounts and you could also have Finance for the finance related accounts. So we can have ous as we want. And as we can see now we have an entire tree that has been created based on all the way from root to the finance. And so for each ou we’re going to have a set of accounts. So in the root ou, right now we have two accounts, and if I go to the dev ou, we have zero accounts. If I go to the test ou a prod ou, there will be nothing obviously, because I haven’t moved any accounts there. So what I can do is take one of these accounts, for example, the Child accounts, and I can move this account to the oui I want, so I can move it to the prod and then HR.

And this is where my account would go. So my Course child is now going to be in prod HR, and it belongs to this specific ou, whereas my master accounts, well, by default it’s good practice to leave it in the root ou, but it is very possible for you to move your master account to anywhere you want.You can move it for example to test and this is it. Now my account is in test and so we are organizing the accounts based on the trees and this is from what we’ve seen from before. So now what we want to do is to be able to regulate how these accounts can access different services. And so as you can see, we have one account in test and we have one account in Prod HR. So what I’m going to do is go to Roots and I’m going to enable service control policies.

And so there are Scp and as we can see they’re now enabled and once they’re enabled, I can attach these policies to different places in my Ous and the permissions will be rolled down all the way to all the accounts that belong to this Ou. So if we look at root and we’ve gone service control policy right now there’s one policy that’s attached and available called full AWS access and this allows all the accounts within root so everything underneath to access AWS fully. And that makes sense. And you do not want to detach this policy from root otherwise you will lose access to everything. So you don’t touch this. But now if we go for example to the Prod Ou in Prod, I’m able to attach a service control policy.

So if I look at service control policy right now there is one that’s attached and available which is full address access. But this one actually has been inherited from the root. So as we can see, because the root has had the false address policy inherited, created, then has been inherited into the Prod accounts. And so again, if I go down to the HR accounts where my course child is, we see the same service control policy which has been inherited from the Roots. So as we can see, full Ers access has been inherited from roots and Prod. Okay, this is great. So now I can create my own policy.

So once I’m here, I can see there is service control policies and tag policies. This is the one we’re interested into SCPs that is within the scope of the exam and tag policies are not within the scope. I will tell you what it is. It is if you wanted to regulate all the standardized tags that accounts can create in their accounts. So if you wanted to make sure that only few tags would be created in all the accounts, you would create tag policies and they could be really, really helpful as well, but not in the scope of the exam for now. So let’s go to service control policies and here we can create our own policy. As we can see, the first one that has been created by default is full address access, which allows access to every operation.

So I’m going to create a policy and this one is going to be denying access to Athena. So I’ll just call it deny access. Athena and here you can create a statement. So the policy can look like just like adjacent, and it could be a deny or it can be an allow if it’s a whitelist policy or a blacklist policy. And so in here, what I want to do is go to Athena. So I’m going to click on Athena and then I’m going to select all actions and they’re going to be denied. So here we have a statement, one called Deny Action Athena star and Resource. Actually, I should say Star. So I’m going to change this real quick. I’m going to say resource star. And this makes sure that here we don’t allow anything on Athena.

Okay? So I’m going to create policy. And now this Deny Access Athena has been created, but we now have to attach it to specific accounts or Ous and see what happens. So we’re going to go to organize accounts. And in here, in my prod and my HR, I’m going to go ahead to my Hrou, and in my Hreu right now, I can go to Service Control Policy and I can go ahead and attach the Deny Access Athena. So now any account within this Ou will have the full address and the Deny Access Athena service policy. So if I click on my account in here and I look at Service Control policies, as we see, we have full address access and deny access Ifina inherited from the HR Ou.

So now what does that mean? If I go to my account, which is my child account right now, and I’m going to try to go to Athena. So I’m going to change region just so that the Internet is faster. So I’ll go to London and then I’m going to open up the Athena service. So Athena, let’s try to access it and see if things work. So I’m in Athena right now, and I’m going to run a query. So create Database test and semicolon and click on Run Query. So let’s just set up a query result location. So I’ll just say, okay, we’ll just copy this as the query result. And actually this probably won’t even work. So let’s click on Save this worked. And now click on Run query.

Okay, now we get a deny. So it says user blah blah blah. Root is not authorized to perform style query execution with an explicit deny. And this deny actually comes from the scp we have created from before. So this account right here cannot access Athena at all because of this scp. And so that’s it. You can have a play. Move your accounts between each organizational unit, try to attach scp directly at the Ou level, or try to attach scp directly at the account level. All these things are definitely possible. And then you’ve really understood how organizations work. So that’s it for this hands on. I hope you liked it. And I will see you in the next lecture.

5. AWS Service Catalog Overview

So let’s talk about a service that is I think minor for the exam but still very important for you to understand, which is the AWS service catalog. So basically when you are a new user you can go two ways. Either like you, you want to learn, you take this course and you learn all about AWS and you’re an expert after this, congratulations. Or you’re new to AWS and you don’t want to learn from properly. And basically you start creating stacks that are not compliant, they are not with the rest of organizations, you don’t exactly know what you’re doing. And so basically this is too cumbersome for some users who are new to AWS to start creating stuff on the fly. So some users that just want a quick self service portal.

So that’s what you have to remember it’s self service. And this self service portal basically only allows you to launch a set of authorized products that have been predefined by administrators, administrator, is you. And so for example, what can these products be? Well, it could be a virtual machine, but that is properly configured with way less options, a database, maybe some storage option, et cetera, et cetera. And so this is where service catalog comes in. So service catalog is actually very simple. It is basically restricting so many options for users. So here’s what it looks like. As an admin we’re going to create a product and a product is a cloud permission template. So we’re going to create a product, but it’s called product here.

And then we’re going to create a portfolio which is a collection of products. So the product can be whatever you want, it could be a stack, it could be a database, it could be easy to and we’re going to apply control. So for our users we can apply IAM permissions only allowing them to access specific portfolios. And then as a user we are presented with a product list directly on the self service portal and this is basically all the stuff that IAM authorizes to do. Then we’ll see and then we just choose the product we want to launch. So we’ll launch it, we’ll parameterize it and then all of a sudden we get provisioned products which are ready to use, properly configured and properly tagged and this is exactly what we want to target.

So for a user it’s actually very simple. We just get product list and say okay, do you want to launch a database, an easy to instance or maybe something else launch it and then here we go. It’s provision. But why we would do this is that we restrict the users the amount of knowledge they need to know. They just get a product list and get a few parameters and then they’ll just launch it correctly. So service catalog basically will allow us to create and manage catalogs of It services that are approved internally by our organization on AWS. Basically these products are super easy to make their cloud formation templates. So you can go as crazy as you want. You can create very complex one or very simple ones.

And for example, you can be virtual machine images, servers, software, databases, region, IP, address range, whatever you want. And the idea is that we use cloud formation so we can ensure consistency and some form of standardization from us. Now, all these products will be assigned to portfolios and portfolios can be directly linked, can be seen as a team, for example, and the teams will be presented with a selfservice portal, as we see in a second, where we can launch the products and all the products will be stretchedly, managed through this service catalog UI. The reason you would use this is for enhanced governance, compliance and consistency.

Now, the reason as well, as I said, is finally our users can get access to launching products without requiring deep Aos knowledge. And there is integration of self service portals such as Service now, if you’re familiar with it. So this is the scope of service catalog at a high level overview. It’s a selfservice portal where we can only launch a predefined services defined by admins and you need to remember it’s selfservice and it can integrate with self service portals such as ServiceNow, etc, etc, etc. So in the next lecture, I just want to show you how it works to make things a little bit more concrete. But don’t sweat it, this is actually a very minor service for the exam.