Please enable JavaScript.
Coggle requires JavaScript to display documents.
Permission - Coggle Diagram
Root
- Parent container of all accounts
Organizational Unit (OU)
- Custom container under Root
Member Account #
- Any account other than the management account
Removing vs Move
- Organization may freely move accounts under OU to another OU
- However, if OU is simply removed, then organization must re-invite every accounts to the organization
Management Account #
- Only one account that has full control of Root
Policy
Authorization Policy
- Centrally manage the security of the AWS accounts in your organization
AI Services opt-out Policy
- Special permission to unsubscribe services like Rekognition, CodeWhisperer, Transcribe, etc.
Management Policy
- Centrally configure and manage AWS services and their features
Service Control Policy (SCP)
- Policy apply to every account within the organization
- Management Account bypasses it
- It only decides the scope. IAM Entity itself should also have the policy, that allows the action, attached to it
- It works as a whitelist, so even if the IAM Entity has the policy, only the intersection of the allowed actions are eligible
Tag Policy
- Enforce tag management: naming, rules, compliance
Backup Policy
- Backup plans for the AWS services
Modes
All Features
- SCP can be applied, in addition to all Consolidated Billing features
- Can't switch back to Consolidated Billing once active
Consolidated Billing
- One bill, tracking usage, and combined usage across all accounts
- No additional fee needed
OrganizationAccountAccessRole
- Automatically created in the new account
- Grant full access to the new account, and any IAM principal from the management account can assume it
- Existing account invited to organization do not have the role
-
AWS Control Tower
Account Factory / Landing Zone
- Jointly used with AWS IAM Identity Center#, accounts can be automatically provisioned to the landing zone.
- Landing zone provides easy starting point to configure secure settings for the generated accounts
- One organization can have only one landing zone
Guardrail
- Set of rules that automatically detect non-compliant accounts and notify/remediate such accounts.
-
-
Trusted Access
- If enabled, IAM user, group, or role from another AWS account can access the AWS services of an account
IAM
Group
- Collection of users
- Not an IAM Entity
IAM Entity
-
Role
Trust Relationship
- Explicit allowance for user/services to assume the role
Identity providers and federation
- If user identities are already handled by the IdP outside AWS, federation can be used to authenticate/authorize the user instead of creating a new IAM User
Web Identity Federation
Amazon Cognito
- Login to Amazon Cognito and receives the token. The token can be exchanged for temporary AWS credential
Federation API
- User log-in to the IdP and receives the token. Then the token is sent in AssumeRoleWithWebIdentity to assume the role
-
SAML 2.0
- The organization's own IdP signs SAML assertion, and the user send AssumeRoleWithSAML request. AWS can authorize the assertion using the public key posted by the organization's IdP
IAM Identity Center (ex. AWS SSO)
- Logging into IAM Identity Center allow SSO access to various AWS services and apps
- Works with On-premise AD, Cloud AD, or IAM Identity Center
Permission Sets
- Collection of one or more IAM policies
- IAM Identity Center creates managed IAM roles that has all the policies listed in the permission set, and authorize users to assume the role
Policy
- Attachable to IAM Entity or Group to allow/deny actions
Permission Set
- Collection of one or more policy.
AWS Account
- Contains AWS resources and IAM that can access those resources
-
Delegated Administrator Account
- Created and managed by sysadmin or superuser
- Users in the account can perform certain administration tasks
Attribute Based Access Control (ABAC)
- use
aws:PrincipalTag to match the tag attached to the resource and the IAM entity to access control