AWS Organizations: Benefits and Features
Question
AWS Organizations help manage multiple accounts effectively in a large enterprise.
Which of the following statements related to AWS Organizations are correct? (Select TWO.)
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.Answers: A, D.
Option A is CORRECT.An Organizational Unit(OU) can have a single branch going up, e.g.
It can either inherit a root or another OU but not both as shown in the figure below.
Option B is incorrect since an Account can belong to only one OU.
Option C is incorrect.
A Policy applied at the Root is applied throughout the Organization i.e.
to all its OU's and its Accounts.
A Policy applied to the OU level applies to all OU's and Accounts under those OU's.
A Policy applied at the Account level is applied to only that Account.
Referring to the figure above, when a Policy is applied to the OU under the Root, it will also be applied to the OU below it & Accounts B, C,
D.
When a policy is applied to Account C, it will apply to only that account.
Option D is CORRECT.
AWS Organizations automate creation of AWS Accounts, OUs and their hierarchy.
They use Service Control Policies (SCP) at OUs.
SCPs are different from IAM in the sense that they can be applied to the Organization level.
They override any IAM policies that are defined at an Account level & may also restrict the IAM policy defined.
AWS Organizations do not cancel the need for IAM.
It compliments what IAM can do by consolidating and centrally managing a lot of things that happen.
AWS Organizations is not an authority for granting permissions, but it is an authority to approve/disapprove permissions given by IAM.
Option E is incorrect.
SCPs can be configured to allow or deny services and actions.
References:
AWS Organizations user guide.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.htmlService Control Policies.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
AWS Organizations is a service that allows you to manage multiple AWS accounts, and to organize and govern them as a single entity, called an organization. This service helps you to simplify the management of accounts and apply policies across accounts, and it is mainly used by enterprises with multiple AWS accounts.
Now let's discuss each statement in detail:
A. An Organizational Unit (OU) can have only one parent. This statement is correct. An organizational unit is a container for accounts, and it can have only one parent. This means that you can organize your accounts hierarchically, and each account can be part of only one OU.
B. An account can be a member of multiple Organizational Units (OU). This statement is incorrect. An account can only be a member of one OU. However, you can create nested OUs to organize your accounts in a more granular way.
C. An SCP policy only impacts a particular AWS account even if it is applied at the root account. This statement is incorrect. When you apply a Service Control Policy (SCP) at the root level of your organization, it affects all accounts and OUs within that organization. SCPs are used to restrict the actions that IAM users and roles can perform in AWS services and resources.
D. Organizational level policies are known as Service Control Policies. This statement is correct. SCPs are the policies that you can use to set controls at the organization level. SCPs allow you to set controls that restrict the actions that IAM users and roles can perform in AWS services and resources.
E. Service Control Policies (SCPs) can only allow actions instead of deny actions. This statement is incorrect. SCPs can allow or deny actions. By default, an SCP denies all actions, but you can use the "Allow" statement to specify the actions that you want to permit.
In summary, the correct statements are A and D.