Identity & Access Management
Key Management Service (KMS)
AWS Secrets Manager
AWS Web Application Firewall
AWS Firewall Manager
The course is part of this learning path
This course looks at the key Security services within AWS relevant to the SysOps Administrator - Associate exam. The core to security is Identity & Access Management, commonly referred to as IAM. This service manages identities and their permissions that are able to access your AWS resources and so understanding how this service works and what you can do with it will help you to maintain a secure AWS environment. In addition to IAM, this course covers a range of other security services covering encryption and access control
- Learn about identity and access management on AWS including users, groups & roles, IAM policies, MFA, and cross-account access
- Learn the fundamentals of AWS Web Application Firewall (WAF) including what it is, when to use it, how it works, and why use it
- Learn how to manage data protection through encryption services such as the Key Management Service (KMS) and CloudHSM
- Learn how to secure your AWS accounts using AWS Organizations
- Understand how to configure and monitor AWS WAF, Firewall Manager, and Shield
- Learn the fundamentals of access control via federation using AWS Cognito and AWS SSO
Hello and welcome to this lecture which will explain how to initially set up and configure AWS organizations. Setting up an organization is a very simple process that starts from a master AWS account. Your master account is a standard AWS account that you have chosen to create the AWS organization. It's best practice to use this AWS account solely as a master account, and not to use it to provision any other resources such as EC2 instances, et cetera. This allows you to restrict access to the master account at a greater level. The few users who need access to it, the better, and you need to do this because the master account carries certain administrative level capabilities such as being able to create additional AWS accounts within your organization, invite other accounts to join your organization, remove AWS accounts from your organization, and apply security features via policies to different levels within your organization.
Once you have selected your AWS account to be used as a master account, you can create an organization. From here, you have two choices when creating an organization type: enable all features or enable only consolidated billing. If you want to set up service control policies, then you need to select enable all features.
The second option allows you to control payments and manage costs centrally from that master account across all associated AWS accounts within the organization. When the organization is created, the master account can create organizational units for AWS account management as required. The master account can also invite other member AWS accounts to join the organization. During this invitational process, the account owner of these invited AWS accounts will receive an email requesting that their AWS account join the organization. Once the accounts have joined the organization, the master account can then move these accounts into the corresponding OUs that have been created and associate relevant service control policies with them.
Let me now show you via demonstration on how to create a new organization and invite an existing account to join it. Now I'm logged into my AWS management console in the AWS account that I want to be the master account, and the first thing I need to do is go to AWS organizations, which is under the management and governance category, and you can see, it's just at the top here.
So if I go into organizations, and at the moment, I don't have any organizations set up or created. So the first thing I need to do is click on create organization, and this gives you a quick, high-level screenshot just to explain what creating an organization does. So it provides single payer and centralized cost tracking, it lets you create and invite accounts, it allows you to apply policy-based controls, and it helps you simplify organization-wide management of AWS services.
Now, as I mentioned previously, there's two options when you create your organization. You can only create it with all features enabled, which is what I just listed, or as you can see here, you can just create your organization to consolidate your billing features. With this demonstration, I'm going to create it with all features. So let's go ahead and create our organization, and that's effectively it. So it's very easy to create your AWS organization to start with, and because this is a brand new organization, this is my master account, which is signified by this star here, and this is my account name, and my account ID.
So, to actually create the organization is very simple, but now I want to add another account as a member account, so let me go ahead and do that. So if I select add account, now I have two options here. I can invite an existing account or create a new account. Now I already have another AWS account, so I'm going to invite an existing account. Now I need to enter the email or account ID, so I'll just paste in my account, and you can add any notes here, for example, please join my organization, and then you select invite.
Okay, now we can see that we have a request that's been sent as an invitation. The status is currently open. So now the email address that was registered with this account will get an invitation and they must accept that invite into this organization. So let's take a look and see if I got that email. So here we can see the email that's been sent to the owner of that member account, and it says, Stuart would like to add your AWS account to their organization as a member account, and then it just gives some additional blurb about AWS organizations, but to accept the invitation, and to understand what features have been enabled, we need to click on this link here.
So if I select that link, and sign in to my account using my details and MFA code, then I can see that I have an invitation from AWS organizations. We can see the organization ID, the master account name, and the requested controls, which is enable all features. So here, I can either accept or decline and I'm going to accept. I just need to confirm the confirmation message about joining the organization.
Okay, now this member account is now a part of that organization. So if I go back to my master account now, I can see now that within my AWS organization of my master account, I have the CA demo account, which is the name of my other account, and we can see that it's not a master because it hasn't got the star whereas this account has the, this is the master account. So as you can see, it's a very simple process to invite other accounts to your organization.
Now I also mentioned previously about organizing accounts and using organizational units. So if we select organize accounts, at the moment, we only have the root in here. So I can create the new organizational unit and assign each of these accounts into those. So, for example, let me create a new organizational unit called production.
Now I'm also going to create a second organizational unit called test. So let me create another one. At the moment, under root, we have our two accounts. So we have our master account and our member account here. Now I want to move my master account into the production organizational unit, just to make things a little more organized. So I can select the account, click on move, and then simply select where I want it to reside within the tree, and then click move, and we can see, it's now been removed from the root location, and I want to do the same with the member account, but this time, I want to move that into the test OU. So now, if I click on production over here, this organizational unit, we can see the account that it has inside it, and again, if we go back to the root and click on test, we can see that we have the member account. So I just wanted to show you that quickly just to show you how you can easily and quickly organize your different AWS accounts.
Okay, and that's the end of the demonstration.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 90+ courses relating to Cloud reaching over 140,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.