Day 17: AWS Governance
AWS Cloud Practitioner With Neel Patel
Organization and Accounts
AWS Organizations allow the creation of new AWS accounts and offer centralized management of billing, access control, compliance, security, and resource sharing across AWS accounts.
Root Account User: A single sign-in identity with complete access to all AWS services and resources within an account. Every account has a Root Account User.
Organization Units: Groups of AWS accounts within an organization, which can include other organizational units, creating a hierarchy.
Service Control Policies (SCPs): Provide central control over permissions for all accounts in your organization, ensuring adherence to organizational guidelines.
AWS Organizations Activation: Once activated, AWS Organizations cannot be turned off. You can create multiple AWS accounts, with one being the Master/Root Account.
AWS Account: Distinct from a User Account; it is a fundamental unit within AWS Organizations.
AWS Control Tower
AWS Control Tower helps enterprises quickly set up a secure, multi-account AWS environment, providing a baseline environment to start with a multi-account architecture.
Landing Zone: A baseline environment adhering to well-architected and best practices for launching production-ready workloads. Features centralized logging (AWS CloudTrail), AWS SSO, and cross-account security auditing.
Account Factory: Automates the provisioning of new accounts, standardizing account creation with pre-approved configurations and enabling self-service for account provisioning through AWS Service Catalog.
Guardrails: Pre-packaged governance rules for security, operations, and compliance that can be applied enterprise-wide or to specific groups of accounts. AWS Control Tower replaces AWS Landing Zones.
AWS Config
Change Management: In cloud infrastructure, it involves monitoring, enforcing, and remediating changes systematically.
Compliance-as-Code (CaC): Automates the monitoring, enforcement, and remediation of changes to maintain compliance with programs or configurations.
AWS Config: A Compliance-as-Code framework that manages changes to AWS accounts on a per-region basis.
When to Use AWS Config:
To ensure a resource stays configured for compliance.
To track configuration changes to resources.
To list all resources within a region.
To analyze potential security weaknesses with detailed historical information.
AWS Quick Starts
AWS Quick Starts are prebuilt templates designed to help deploy a wide range of stacks efficiently.
Components:
Reference Architecture: Provides a blueprint for deployment.
AWS CloudFormation Templates: Automate and configure the deployment.
Deployment Guide: Detailed explanation of the architecture and implementation.
Features: Quick Starts can spin up a fully functional architecture in less than an hour, reducing manual procedures.
Tagging
Tags are key-value pairs assigned to AWS resources to help with:
Resource Management: Organizing specific workloads and environments (e.g., Developer Environments).
Cost Management and Optimization: Tracking costs, budgets, and alerts.
Operations Management: Managing business commitments and SLA operations (e.g., Mission-Critical Services).
Security: Data classification and security impact.
Governance and Regulatory Compliance: Ensuring adherence to regulations.
Automation: Optimizing workloads.
Tag Examples:
Dept = FinanceStatus = ApprovedTeam = ComplianceEnvironment = ProductionProject = EnterpriseLocation = Canada
Resource Groups
Resource Groups are collections of resources sharing one or more tags. They help in organizing and consolidating information based on:
Metrics
Alarms
Configuration Settings
Resource Groups can be modified to change the resources that appear in them and are accessible via the Global Console Header and Systems Manager.
Business-Centric Services
Amazon Connect: A virtual call center service for creating workflows, recording calls, and managing call queues. Based on Amazon's customer service system.
WorkSpaces: A virtual desktop service for provisioning Windows or Linux desktops quickly and securely, with scalability to thousands of desktops.
WorkDocs: A shared collaboration service similar to Microsoft SharePoint, offering centralized storage for company content and files.
Chime: A video-conferencing service similar to Zoom or Skype, offering screensharing, multiple participants, and a secure environment with an integrated calendar.
WorkMail: A managed business email service with support for existing desktop and mobile email clients (IMAP), similar to Gmail or Exchange.
Pinpoint: A marketing campaign management service for sending targeted emails, SMS, push notifications, and voice messages. It includes A/B testing and journey creation.
Simple Email Service (SES): A transactional email service for integrating email sending capabilities into applications, with support for templates, open-rate tracking, and reputation management.
QuickSight: A Business Intelligence (BI) service for visualizing data from multiple sources in graphs, requiring minimal programming knowledge.
