</>Học Dev
Bài học

Tuần 8 - Ngày 5: AWS Organizations Basics

Tuần 8 – Ngày 5

Tuần 8 - Ngày 5: AWS Organizations Basics

Mục tiêu học tập

  • Hiểu AWS Organizations và multi-account setup
  • Nắm OU (Organizational Unit) structure
  • Hiểu Service Control Policies (SCP) cơ bản
  • Phân biệt Consolidated Billing và Volume Discounts

1. Tổng quan Organizations

AWS Organizations = service quản lý multiple AWS accounts centrally.

Đặc điểm

  • Free service
  • Hierarchical: Root → OUs → Accounts
  • Consolidated billing: 1 hóa đơn cho tất cả accounts
  • Volume discounts: aggregate usage cho discount
  • SCPs giới hạn permissions across accounts
  • Service integration: CloudTrail, Config, SSO, Backup, etc.

Lý do dùng Organizations

  • Isolation: separate dev, staging, prod
  • Billing: aggregate cost, get volume discounts
  • Security: limit blast radius (1 account compromised ≠ all compromised)
  • Compliance: separate compliance scopes (PCI account)
  • Team autonomy: each team owns account

2. Components

Root(top-level)OU:ProductionAccount:Prod-App-1Account:Prod-App-2OU:DevelopmentAccount:Dev-1Account:Dev-2OU:SecurityAccount:Audit-Account

Management Account (formerly Master)

  • Creates organization
  • Pays bill for all member accounts
  • Cannot have SCPs apply to it (always full permissions)
  • Should be only used for org management (not workload)

Member Accounts

  • Created within organization (or invited from existing)
  • Receive consolidated billing
  • SCPs apply

Organizational Unit (OU)

  • Logical group of accounts
  • Up to 5 levels nesting
  • Apply policies (SCP, tag policies) at OU level

3. Account Lifecycle

Create new account

  • Console: "Add account" → AWS creates new account in org
  • Email + name required
  • IAM role OrganizationAccountAccessRole created (assumable from management)

Invite existing account

  • Send invitation to existing account
  • Account owner accepts
  • Joins organization (still owned by original owner)

Remove account

  • Account leaves organization
  • Must have own payment method
  • Some accounts created in console must wait 7 days before can be removed

Close account

  • Suspend account, delete resources after 90 days
  • Cannot reopen

4. Service Control Policies (SCPs)

Định nghĩa

SCP = policy that limits maximum permissions for IAM users/roles in accounts.

Đặc điểm

  • Whitelist or blacklist style
  • NOT grant permissions (just limit)
  • Apply ở Root, OU, hoặc Account
  • Inheritance: child OU inherit parent's SCPs
  • NOT apply to management account
  • NOT apply to service-linked roles

Default SCP

  • FullAWSAccess: allow everything (default attached)
  • Can detach and attach more restrictive

Effective permissions

Effective permission = IAM identity policy ∩ SCP
                    = What both allow

Common SCPs

Deny specific regions

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {
      "StringNotEquals": {
        "aws:RequestedRegion": ["us-east-1", "us-west-2"]
      }
    }
  }]
}

Prevent IAM user creation (force IAM Identity Center)

{
  "Effect": "Deny",
  "Action": ["iam:CreateUser", "iam:CreateAccessKey"],
  "Resource": "*"
}

Prevent leaving organization

{
  "Effect": "Deny",
  "Action": "organizations:LeaveOrganization",
  "Resource": "*"
}

Force MFA

{
  "Effect": "Deny",
  "Action": "*",
  "Resource": "*",
  "Condition": {
    "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" }
  }
}

5. Consolidated Billing

Benefits

  • 1 invoice for entire organization
  • Volume discounts: aggregate usage across accounts
  • Reserved Instance sharing: RIs in 1 account benefit other accounts (configurable)
  • Savings Plans sharing: similar

Example

  • Account A uses 100 EC2 hours, Account B uses 200 hours
  • Together = 300 hours → may qualify for next pricing tier discount

6. AWS Account Best Practices

Standard account structure

  1. Management Account (root): only org management
  2. Log Archive Account: centralized CloudTrail + Config logs
  3. Security Account: GuardDuty, Security Hub delegated admin
  4. Shared Services Account: AWS SSO, DNS, central networking
  5. Production OU: production workloads
  6. Non-Production OU: dev/test
  7. Sandbox OU: experimentation

Landing Zone

  • AWS-managed solution: Control Tower
  • Auto-setup standard org structure
  • Guardrails (preventive + detective)
  • Account Vending (template-based new account creation)

7. AWS Control Tower

Định nghĩa

Control Tower = managed service implement landing zone best practices.

Features

  • Account Factory: vending machine for new accounts
  • Pre-built guardrails (SCPs + Config rules)
  • CloudTrail + Config centralized
  • Service Catalog for self-service
  • Free (resources used charged normally)

Guardrails

  • Preventive (SCP-based): "Don't allow public S3 buckets"
  • Detective (Config-based): "Flag if RDS not encrypted"

Use case

  • Multi-account setup with best practices
  • Compliance baseline
  • Standardize new account provisioning

8. AWS RAM (Resource Access Manager)

Định nghĩa

RAM = share AWS resources across accounts (or within Organization).

Shareable resources

  • VPC subnets (VPC Sharing)
  • Transit Gateway
  • Route 53 Resolver Rules
  • License Manager configurations
  • AWS Glue Data Catalog
  • ACM Private CA
  • Aurora DB Cluster, Lake Formation databases, etc.

Use case

  • Centralized networking (1 account owns VPC, other accounts use subnets)
  • Share AMIs, software licenses
  • Cross-account database access

Sharing models

  • Within Organization: easier setup (auto-trust)
  • Cross-account standalone: invitation-based

9. Cross-Account Access Patterns

Pattern 1: Centralized logging

ManagementAccountOrganizationTrailS3inLogArchiveAccount(allmemberaccounts'CloudTraillogs)

Pattern 2: Centralized security

Security Account = GuardDuty delegated admin
                   Security Hub aggregator
Members ──► Findings flow to Security Account

Pattern 3: Shared networking

Network Account owns VPC + Transit Gateway
Other accounts share subnets via RAM
Single point of egress, route control

Pattern 4: Cross-account workload

AppAccount(dev)AssumeroleinProdAccountDeployresources

10. SCPs Best Practices

Strategy: Default-Allow vs Default-Deny

  • Default-Allow (most common): Start with FullAWSAccess, add specific deny rules
  • Default-Deny: Start empty, add specific allow rules (more restrictive)

Common SCP rules

  • Deny disabling CloudTrail
  • Deny deleting Organizations Config
  • Deny IAM user creation (use SSO)
  • Deny root user access keys
  • Restrict regions
  • Force encryption on EBS, S3
  • Prevent leaving organization

Test SCPs in sandbox

  • Test in non-prod OU first
  • Use COUNT mode? No, SCPs are immediate. Use test OU.

11. Tag Policies

Định nghĩa

Tag Policies = enforce tagging standards across accounts.

Đặc điểm

  • Defines required tag keys + valid values
  • Compliance check (not enforcement by default)
  • Combined with SCPs to enforce (deny if not tagged)

Use case

  • Cost allocation (require CostCenter tag)
  • Resource organization
  • Compliance audit

Câu hỏi ôn tập

  1. SCP có grant permissions không?

    Xem đáp án

    Không — SCP (Service Control Policy) chỉ giới hạn permissions tối đa (guardrails), không grant permissions. Member account vẫn cần IAM policies riêng để có quyền thực sự. SCP áp dụng cho tất cả principals trong account (kể cả root account của member) — nhưng management account không bị SCP áp dụng. SCP là "maximum permissions fence" không phải "grant permissions".

  2. Management account có bị SCP áp dụng không?

    Xem đáp án

    Không — Management account (root account của Organization) không bị SCP apply, kể cả SCP ở root OU. Đây là lý do best practice: không deploy workloads trong management account và minimize credentials cho management account. Chỉ dùng management account cho billing, organization management, và Control Tower. Workloads deploy trong member accounts — bị SCP govern.

  3. Consolidated billing có volume discount như thế nào?

    Xem đáp án

    AWS tính tổng usage của tất cả member accounts trong Organization cho volume pricing tiers. Ví dụ S3: pricing giảm khi dùng > 50 TB, > 500 TB — consolidated billing gộp usage của 10 accounts, có thể đạt tier thấp hơn nhanh hơn từng account riêng. Reserved Instance và Savings Plans cũng có thể share giữa accounts trong Organization — RI của 1 account có thể apply cho account khác nếu không dùng hết.

  4. Control Tower setup gì tự động?

    Xem đáp án

    AWS Control Tower tự động setup: (1) Landing Zone — multi-account structure với Log Archive account, Audit account, Security OU, Sandbox OU, (2) Guardrails (mandatory + optional SCPs + Config rules), (3) IAM Identity Center cho SSO, (4) CloudTrail organization trail, (5) Config organization rules. Giảm setup time từ weeks xuống hours. Ongoing governance qua Account Factory cho tạo accounts mới.

  5. RAM dùng để share resources nào?

    Xem đáp án

    AWS Resource Access Manager (RAM) share: VPC Subnets (phổ biến nhất), Transit Gateway, Route 53 Resolver rules, Aurora DB clusters, EC2 Capacity Reservations, License Manager configurations, AWS Network Firewall policies. Sharing chỉ hoạt động trong cùng AWS Organization (cần bật Organizational sharing). Không tính phí RAM, chỉ tính phí resource được share. VPC Subnet sharing là pattern chính để centralize networking.

Bài tập thực hành

  • Tạo AWS Organization (cần new account hoặc current account làm management)
  • Tạo OU "Development", invite/create member account
  • Apply SCP "DenyRegionsOutside_US"
  • Test: user in member account không tạo được resource ở region khác US
  • (Optional) Setup Control Tower trên Organization

Tài liệu tham khảo chính thức

Tiếp theo: Quiz Tuần 8