AWS SAP-C02教程4--身份与联合身份认证

AWS的账号和权限控制一开始接触的时候觉得很复杂，不仅IAM、Identiy Federation、organization，还有Role、Policy等。但是其实先理清楚基本一些概念，然后在根据实际应用场景去理解设计架构，你就会很快掌握这一方面的内容。
AWS的账号跟其它一些云或者说一些SAAS产品的账号没什么不一样，就是注册一个有唯一ID的账号，然后账号底下可以创建各种计算、存储、网络等资源，同时还能通过IAM去创建子账户、角色去共享这些资源。下面通过3方面来总体讲述一下AWS身份与联合身份认证的相关知识：

• 第一方面是基本一些概念或产品的用途
• 第二方面是通过常见应用场景设计的体系架构来巩固概念和产品
• 第三方面是关于IAM Policy权限控制，更加深入了解AWS的权限控制
  

1 AWS IAM

了解AWS的账户管理、权限管理方式，最先了解的应该IAM。
AWS Identity and Access Management (IAM) 是一种 Web 服务，可以帮助您安全地控制对 AWS 资源的访问。借助 IAM，您可以集中管理控制用户可访问哪些 AWS 资源的权限。可以使用 IAM 来控制谁通过了身份验证（准许登录）并获得授权（拥有权限）来使用资源。你可以简单理解IAM就是一个服务，专门做AWS的账号和权限管理的。

1.1 基本功能

了解IAM需要先了解下面几个功能

• 用户user
  你可以理解你拥有一个AWS账号，那么你就拥有Root用户（当然该用户不会显示在用户列表）。而你可以在你的账号里面创建IAM用户，可以简单理解为是一个子账户。当你公司的员工需要登录你的AWS账号完成某些事情，但是你又不想给他太多权限，那么创建用户是一种选择。（注意：创建用户等同于一种长期有效的凭证，AWS中不推荐这么使用，而是推荐使用IAM Identity Center（原先的Single-Sign-On））。
• 分组User Groups
  当公司人员规模一上来时，你不可能一一的去分配权限，这样会累死。这时候就需要对人员进行分组，然后通过对分组的权限控制实现对同一类人的统一权限控制。这就是分组的作用。
• 角色Role
  角色可在账户中创建的具有特定权限的 IAM 身份。IAM 角色与 IAM 用户有一些相似之处。角色和用户都是具有权限策略的 AWS 身份，该策略可确定身份在 AWS 中可执行和不可执行的操作。但是，角色旨在让需要它的任何人代入，而不是唯一地与某个人员关联。（注意：角色不止可以赋予本账号的用户，还可以跨账号使用，这个考试经常会出现）
  角色可由以下用户使用：
  1）与该角色在相同 AWS 账户 中的 IAM 用户
  2）位于与该角色不同的 AWS 账户 中的 IAM 用户
  3）由 AWS 提供的 Web 服务，例如 Amazon Elastic Compute Cloud (Amazon EC2)
  4）由与 SAML 2.0 或 OpenID Connect 兼容的外部身份提供程序 (IdP) 服务或定制的身份代理进行身份验证的外部用户。
  （注意：你会看到很多人把角色理解成RBAC权限模型里面的角色，但实际上AWS中的角色远比RBAC中的角色更广泛，比如他可以将角色授予资源（比如EC2等），这就是ABAC的不一致地方）

例题：A company is subject to regulatory audits of its financial information. External auditors who use a single AWS account need access to the company’s AWS account. A solutions architect must provide the auditors with secure, read-only access to the company’s AWS account. The solution must comply with AWS security best practices.
Which solution will meet these requirements?
A. In the company’s AWS account, create resource policies for all resources in the account to grant access to the auditors’ AWS account. Assign a unique external ID to the resource policy.
B. In the company’s AWS account, create an IAM role that trusts the auditors’ AWS account. Create an IAM policy that has the required permissions. Attach the policy to the role. Assign a unique external ID to the role’s trust policy.
C. In the company’s AWS account, create an IAM user. Attach the required IAM policies to the IAM user. Create API access keys for the IAM user. Share the access keys with the auditors.
D. In the company’s AWS account, create an IAM group that has the required permissions. Create an IAM user in the company’s account for each auditor. Add the IAM users to the IAM group.
答案：B
答案解析：题目要求给外部的审查提供必要的权限。属于跨账户使用权限，那么最好方式就是使用IAM角色，赋予审查的账户。因此选项B选项。

例题：A company is migrating its development and production workloads to a new organization in AWS Organizations. The company has created a separate member account for development and a separate member account for production. Consolidated billing is inked to the management account. In the management account, a solutions architect needs to create an IAM user that can stop or terminate resources in both member accounts.
Which solution will meet this requirement?
A. Create an IAM user and a cross-account role in the management account. Configure the cross-account role with least privilege access to the member accounts.
B. Create an IAM user in each member account. In the management account, create a cross-account role that has least privilege access. Grant the IAM users access to the cross-account role by using a trust policy.
C. Create an IAM user in the management account. In the member accounts, create an IAM group that has least privilege access. Add the IAM user from the management account to each IAM group in the member accounts.
D. Create an IAM user in the management account. In the member accounts, create cross-account roles that have least privilege access. Grant the IAM user access to the role by using a trust policy.
答案：D
答案解析：题目要求可以跨账号分配权限。因此使用role方式，在其他账号创建有权限角色，然后在将角色赋予用户，因此选择D选项。A选项没有赋予其他账号的role权限。B选项每个账号都创建一个用户不可行。C选项用户只能用于自己账户下。

• 策略policy
  AWS采用的是ABAC，而策略就是其中实现ABAC的关键，AWS的权限就是通过Policy来赋予的。基于属性的访问控制（ABAC）是一种授权策略，该策略基于属性来定义权限。在 AWS 中，这些属性称为标签。您可以将标签附加到 IAM 资源（包括 IAM 实体（用户和角色））以及 AWS 资源。也就是说除了IAM可以创建Policy附在user或role上面，某些资源也可以自己创建Resource Based Policys（比如S3等资源）
  策略是一个JSON文件，包括：Effect、Action、Resource、Conditions、Policy Variable。
  策略分为：AWS Manager Policy、Customer Policy、InlinePolicy。
  下面以一个S3的只有列表权限做例子，让你对策略有一定印象，更多内容了解可以参考AWS Docs。
  
  注意：这里有关于策略需要记住的东西
  1）当Effect:deny时，它的优先级将高于Allow
  2）访问某个资源使用Role来控制（也是附在role上的Policys）好还是使用Resource Based Policys；其实2者都可以做，但是记住一个最大区别：如果使用Role来控制，就意味着你会自动放弃你用户原始的角色的权限。

例题：A company has a project that is launching Amazon EC2 instances that are larger than required. The project’s account cannot be part of the company’s organization in AWS Organizations due to policy restrictions to keep this activity outside of corporate IT. The company wants to allow only the launch of t3.small
EC2 instances by developers in the project’s account. These EC2 instances must be restricted to the us-east-2 Region.
What should a solutions architect do to meet these requirements?
A. Create a new developer account. Move all EC2 instances, users, and assets into us-east-2. Add the account to the company’s organization in AWS Organizations. Enforce a tagging policy that denotes Region affinity.
B. Create an SCP that denies the launch of all EC2 instances except t3.small EC2 instances in us-east-2. Attach the SCP to the project’s account.
C. Create and purchase a t3.small EC2 Reserved Instance for each developer in us-east-2. Assign each developer a specific EC2 instance with their name as the tag.
D. Create an IAM policy than allows the launch of only t3.small EC2 instances in us-east-2. Attach the policy to the roles and groups that the developers use in the project’s account.
答案：D
答案解析：题目说要对一个不在organization的账号限制。那么只能使用IAM，而无法使用SCP。因此选择D选项

1.2 高级特性

• MFA：要求用户在访问 AWS 网站或服务时，除了其常规登录凭证之外，还要提供来自 AWS支持的 MFA 机制的唯一身份身份验证。
• 密码策略

1.3 IAM Policy Condition中的常见语法

• NotIpAddress：限制IP使用
• RequestRegion：允许只有某些区域使用
• Tags：允许某些标签使用（可以使用AWS Tag或者用户自定义Tag）
• MFA：开启或关闭MFA多重认证
• aws:PrincipalOrgID：匹配某个organization

1.4 IAM Access Analyzer

IAM Access Analyzer 使您能够识别向外部委托人授予访问权限的任何策略，从而帮助识别潜在的资源访问风险。简单理解就是一个分析你某些资源目前可以被访问的权限。其原理就是基于逻辑的推理来分析 AWS 环境中基于资源的策略，确定与外部主体共享的资源。

• 支持的S3、IAM Roles、KMS Keys、Lambda、SQS、Secrets Manager Secrets等
• 外部委托人可以是另一个 AWS 账户、根用户、IAM 用户或角色、联合身份用户、AWS 服务、匿名用户或可用于创建筛选器的其他实体
• 可以定义一个Zone of Trust，在信任区之外能够访问的权限将会被检测并标记出来
• IAM Access Analyzer Policy Validation：可以在 IAM 控制台中使用 AWS CLI、AWS API 或 JSON 策略编辑器创建或编辑策略。IAM Access Analyzer 将根据 IAM policy 语法和最佳实践验证您的策略。您可以查看策略验证检查结果，其中包括策略的安全警告、错误、常规警告和策略建议。
• IAM Access Analyzer Policy Generation：根据实体的访问活动生成 IAM policy。IAM Access Analyzer 会查看您的 AWS CloudTrail 日志并生成一个策略模板，其中包含角色在指定日期范围内使用的权限。您可以使用模板创建具有精细权限的策略，该策略仅授予支持特定使用案例所需的权限。

例题：A company needs to audit the security posture of a newly acquired AWS account. The company’s data security team requires a notification only when an Amazon S3 bucket becomes publicly exposed. The company has already established an Amazon Simple Notification Service (Amazon SNS) topic that has the data security team’s email address subscribed.
Which solution will meet these requirements?
A. Create an S3 event notification on all S3 buckets for the isPublic event. Select the SNS topic as the target for the event notifications.
B. Create an analyzer in AWS Identity and Access Management Access Analyzer. Create an Amazon EventBridge rule for the event type “Access Analyzer Finding” with a filter for “isPublic: true.” Select the SNS topic as the EventBridge rule target.
C. Create an Amazon EventBridge rule for the event type “Bucket-Level API Call via CloudTrail” with a filter for “PutBucketPolicy.” Select the SNS topic as the EventBridge rule target.
D. Activate AWS Config and add the cloudtrail-s3-dataevents-enabled rule. Create an Amazon EventBridge rule for the event type “Config Rules Re-evaluation Status” with a filter for “NON_COMPLIANT.” Select the SNS topic as the EventBridge rule target.
答案：B
答案解析：参考：https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-analyzer.html

2 STS

AWS Security Token Service (AWS STS) 作为全球服务提供，并且所有 AWS STS 请求发送到单个终端节点 。AWS 建议使用区域 AWS STS 终端节点而不是全球终端节点以减少延迟，建立冗余以及提高会话令牌有效性。STS没有控制界面，它就是一个服务，在IAM管理控制台的账号设置中开启使用。这里提到它有2方面的原因，一个是它在做跨账号授权时使用，另一个是考试中会涉及这一部分。

2.1 基本原理

上图是官方做跨账号授予Role角色权限的示例图。在图中我们可以看到第4步就是获取STS返回的role credentials。那么在实际底层的逻辑是如何，看下图：

注意：STS还具备时间过期选项，这样能够更加安全做权限控制。

2.2 使用场景

• 分配角色给其它IAM账号
• 分配角色给第三方
• 分配角色给AWS Service
• 或者使用Identiy Federation

2.3 混淆代理人问题（External ID）

混淆代理问题是一个安全问题，即没有执行操作权限的实体可能会迫使更具权限的实体执行该操作。为了防止这种情况，如果您为账户中的资源提供第三方（称为跨账户）或其他 AWS 服务（称为跨服务）的访问权限，则 AWS 会提供用于保护您账户的工具，而这个方法就是通过External ID。具体参考：https://docs.aws.amazon.com/zh_cn/IAM/latest/UserGuide/confused-deputy.html（注意：这是考试会出现的考点）

3 Identity Federation

上面提到通过STS实现跨IAM账号访问，那么接下来讨论第三方账号访问AWS，这里的第三方指的是非AWS账号。那么这时候就需要Identity Federation（联合身份验证）。Identity Federation（联合身份验证）简单理解就是AWS通过对第三方的信任，然后当第三方用户使用AWS资源时，通过验证其用户合法性来确认权限。如下图：

3.1 实现Identity Federation的方式

• SAML2.0
• Customer Identity Broker
• Web Identity Federation with Cogito
• Web Identity Federation without Cogito
• IAM Identity Center（原single-sign-on SSO）
• Non-SAML with AWS Mircosoft AD
  （注意：这么多的不同方式实现，在考试中会经常出现，请记住其实现原理及特点，根据应用场景选择）

例题：A company has an environment that has a single AWS account. A solutions architect is reviewing the environment to recommend what the company could improve specifically in terms of access to the AWS Management Console. The company’s IT support workers currently access the console for administrative tasks, authenticating with named IAM users that have been mapped to their job role.
The IT support workers no longer want to maintain both their Active Directory and IAM user accounts. They want to be able to access the console by using their existing Active Directory credentials. The solutions architect is using AWS Single Sign-On (AWS SSO) to implement this functionality.
Which solution will meet these requirements MOST cost-effectively?
A. Create an organization in AWS Organizations. Turn on the AWS SSO feature in Organizations Create and configure a directory in AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) with a two-way trust to the company’s on-premises Active Directory. Configure AWS SSO and set the AWS Managed Microsoft AD directory as the identity source. Create permission sets and map them to the existing groups within the AWS Managed Microsoft AD directory.
B. Create an organization in AWS Organizations. Turn on the AWS SSO feature in Organizations Create and configure an AD Connector to connect to the company’s on-premises Active Directory. Configure AWS SSO and select the AD Connector as the identity source. Create permission sets and map them to the existing groups within the company’s Active Directory.
C. Create an organization in AWS Organizations. Turn on all features for the organization. Create and configure a directory in AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) with a two-way trust to the company’s on-premises Active Directory. Configure AWS SSO and select the AWS Managed Microsoft AD directory as the identity source. Create permission sets and map them to the existing groups within the AWS Managed Microsoft AD directory.
D. Create an organization in AWS Organizations. Turn on all features for the organization. Create and configure an AD Connector to connect to the company’s on-premises Active Directory. Configure AWS SSO and select the AD Connector as the identity source. Create permission sets and map them to the existing groups within the company’s Active Directory.
答案：D
答案解析：需要一个前提条件：https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html

例题：A company is using an on-premises Active Directory service for user authentication. The company wants to use the same authentication service to sign in to the company’s AWS accounts, which are using AWS Organizations. AWS Site-to-Site VPN connectivity already exists between the on-premises environment and all the company’s AWS accounts.
The company’s security policy requires conditional access to the accounts based on user groups and roles. User identities must be managed in a single location.
Which solution will meet these requirements?
A. Configure AWS Single Sign-On (AWS SSO) to connect to Active Directory by using SAML 2.0. Enable automatic provisioning by using the System for Cross- domain Identity Management (SCIM) v2.0 protocol. Grant access to the AWS accounts by using attribute-based access controls (ABACs).
B. Configure AWS Single Sign-On (AWS SSO) by using AWS SSO as an identity source. Enable automatic provisioning by using the System for Cross-domain Identity Management (SCIM) v2.0 protocol. Grant access to the AWS accounts by using AWS SSO permission sets.
C. In one of the company’s AWS accounts, configure AWS Identity and Access Management (IAM) to use a SAML 2.0 identity provider. Provision IAM users that are mapped to the federated users. Grant access that corresponds to appropriate groups in Active Directory. Grant access to the required AWS accounts by using cross-account IAM users.
D. In one of the company’s AWS accounts, configure AWS Identity and Access Management (IAM) to use an OpenID Connect (OIDC) identity provider. Provision IAM roles that grant access to the AWS account for the federated users that correspond to appropriate groups in Active Directory. Grant access to the required AWS accounts by using cross-account IAM roles.
答案：A
答案解析：参考：https://aws.amazon.com/blogs/aws/new-attributes-based-access-control-with-aws-single-sign-on/

例题：A company has many separate AWS accounts and uses no central billing or management. Each AWS account hosts services for different departments in the company. The company has a Microsoft Azure Active Directory that is deployed.
A solutions architect needs to centralize billing and management of the company’s AWS accounts. The company wants to start using identity federation instead of manual user management. The company also wants to use temporary credentials instead of long-lived access keys.
Which combination of steps will meet these requirements? (Choose three.)
A. Create a new AWS account to serve as a management account. Deploy an organization in AWS Organizations. Invite each existing AWS account to join the organization. Ensure that each account accepts the invitation.
B. Configure each AWS account’s email address to be aws+@example.com so that account management email messages and invoices are sent to the same place.
C. Deploy AWS IAM Identity Center (AWS Single Sign-On) in the management account. Connect IAM Identity Center to the Azure Active Directory. Configure IAM Identity Center for automatic synchronization of users and groups.
D. Deploy an AWS Managed Microsoft AD directory in the management account. Share the directory with all other accounts in the organization by using AWS Resource Access Manager (AWS RAM).
E. Create AWS IAM Identity Center (AWS Single Sign-On) permission sets. Attach the permission sets to the appropriate IAM Identity Center groups and AWS accounts.
F. Configure AWS Identity and Access Management (IAM) in each AWS account to use AWS Managed Microsoft AD for authentication and authorization.
答案：ACE
答案解析：题目要求使用身份联合。通过创建新的管理帐户，配置SSO，设置本地数据中心访问IAM的权限。因此选择ACE

4 AWS Organizations

AWS Organizations 是一项账户管理服务，使您能够将多个AWS 账户整合到您创建并集中管理的组织中。AWS Organizations 包含账户管理和整合账单功能，可利用这些功能更好地满足企业的预算、安全性和合规性需求。作为组织的管理员，您可以在组织中创建账户并邀请现有账户加入组织。在实际应用中，公司一般会拥有很多个AWS账户，或者在收购某家已有AWS服务的公司时，他们本身也存在不同的AWS账号，那么Organizations就是用来管理多个AWS账户的功能

4.1 基本特性

• 集中管理您的所有 AWS 账户

例题：A Solutions Architect is designing a multi-account structure that has 10 existing accounts. The design must meet the following requirements:
– Consolidate all accounts into one organization.
– Allow full access to the Amazon EC2 service from the master account and the secondary accounts.
– Minimize the effort required to add additional secondary accounts.
Which combination of steps should be included in the solution? (Choose two.)
A. Create an organization from the master account. Send invitations to the secondary accounts from the master account. Accept the invitations and create an OU.
B. Create an organization from the master account. Send a join request to the master account from each secondary account. Accept the requests and create an OU.
C. Create a VPC peering connection between the master account and the secondary accounts. Accept the request for the VPC peering connection.
D. Create a service control policy (SCP) that enables full EC2 access, and attach the policy to the OU.
E. Create a full EC2 access policy and map the policy to a role in each account. Trust every other account to assume the role.
答案：AD
答案解析：题目要求使用organization，organization底下用户对EC2有所有权限，并且最小代价的步骤对于后续添加子账户。因此首先A选项和B选项中都是创建organization，但是A选项是正确的，通过主账号邀请和子账户同意的方式加入到组织。C选项与本题关联不大，因此淘汰；D选项和E选项看起来都能实现，但是D选项更符合Minimize the effort required to add additional secondary accounts这个要求。因此答案为AD。

• 所有成员账户的整合账单（Cost Explorer 之类的服务）（注意考试中出现集中账单管理时，大多数与organization有关）
• 集中控制每个账户可访问的 AWS 服务和 API 操作的策略（SCP），4.3中详细描述关于SCP的作用。
• 集成IAM Identity Center（原single-sign-on SSO）

4.2 典型架构

• 身份账户体系结构：使用一个中央账户管理其它账户。
  
  （注：图中的OU是Organization Unit ，你可以理解为分组，下面4.3会详细描述关于OU）

• 日志账户体系结构：使用一个中央账户作为日志收集账户
  

• 发布账户体系结构

• 账单结构

4.3 Organization Unit & SCP

• Organization Unit （组织单元），将账户分组到一起，作为一个单元管理。这将极大简化您的账户管理。例如，您可以将基于策略的控制附加到 OU，该 OU 中的所有账户将自动继承策略。您可以在单个组织内创建多个 OU，也可以在其他 OU 中创建 OU。每个 OU 可以包含多个账户，您可以将账户从一个 OU 移动到另一个。但是，OU 名称必须在父 OU 或根内是唯一的。
• 服务控制策略 (SCP) 是一种组织策略，可用于管理组织中的权限。SCP 为您组织中的所有账户提供对最大可用权限的集中控制。SCP 可帮助确保您的账户符合组织的访问控制准则。
• 自动继承策略示例
  
  （注意：考试中一提到多账号管理、且做权限控制，那么很多时候就是跟organizations、OU和SCP相关）

例题：A company will several AWS accounts is using AWS Organizations and service control policies (SCPs). An Administrator created the following SCP and has attached it to an organizational unit (OU) that contains AWS saccount 1111-1111-1111:
{
	"version": "2012-10-17",
	"statement":[
		{
			"Sid" : "AllowsAllActions",
			"Effect": "Allow",
			"Action": "*",
			"Resource": "*"
		},
		{
			"Sid": "DenyCloudTrail",
			"Effect": "Deny",
			"Action": "cloudtrail:*",
			"Resource": "*"
		},
	]
}
Developers working in account 1111-1111-1111 complain that they cannot create Amazon S3 buckets. How should the Administrator address this problem?
A. Add s3:CreateBucket with "Allow" effect to the SCP
B. Remove the account from the OU, and attach the SCP directly to account 1111-1111-1111
C. Instruct the Developers to add Amazon S3 permissions to their IAM entities.
D. Remove the SCP from account 1111-1111-1111.
答案：C
答案解析：A选项加入都会被原先的显示deny所覆盖；B选项将SCP从OU移动到账户上并没有改变什么内容；D选项SCP本身就挂在OU上面，跟账户没什么关系，根本就无法从账户上移除。因此答案只能是C。

例题：An enterprise company wants to allow its Developers to purchase third-party software through AWS Marketplace. The company uses an AWS Organizations account structure with full features enabled, and has a shared services account in each organizational unit (OU) that will be used by Procurement Managers. The Procurement team’s policy indicates that Developers should be able to obtain third-party software from an approved list only and use Private Marketplace in AWS Marketplace to achieve this requirement. The Procurement team wants administration of Private Marketplace to be restricted to a role named procurement-manager-role, which could be assumed by Procurement Managers. Other IAM users, groups, roles, and account administrators in the company should be denied Private Marketplace administrative access.
What is the MOST efficient way to design an architecture to meet these requirements?
A. Create an IAM role named procurement-manager-role in all AWS accounts in the organization. Add the PowerUserAccess managed policy to the role. Apply an inline policy to all IAM users and roles in every AWS account to deny permissions on the AWSPrivateMarketplaceAdminFullAccess managed policy.
B. Create an IAM role named procurement-manager-role in all AWS accounts in the organization. Add the AdministratorAccess managed policy to the role. Define a permissions boundary with the AWSPrivateMarketplaceAdminFullAccess managed policy and attach it to all the Developer roles.
C. Create an IAM role named procurement-manager-role in all the shared services accounts in the organization. Add the AWSPrivateMarketplaceAdminFullAccess managed policy to the role. Create an organization root-level SCP to deny permissions to administer Private Marketplace to everyone except the role named procurement- manager-role.Create another organization root-level SCP to deny permissions to create an IAM role named procurement-manager role to everyone in the organization.
D. Create an IAM role named procurement-manager-role in the AWS accounts that will be used by Developers. Add the AWSPrivateMarketplaceAdminFullAccess managed policy to the role. Create an SCP in Organizations to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-role. Apply the SCP to all the shared services accounts in the organization.
答案：C
答案解析：题目关键词：each organizational unit (OU) , obtain third-party software from an approved list, restricted to。题目本意通过一个角色管理第三方软件，且该角色不能被其它人创建。因此首先是将AWSPrivateMarketplaceAdminFullAccess 权限赋予procurement-manager-role角色，然后禁止其他人创建procurement-manager-role角色，这样就达到只有这个角色可以管理第三方软件。通过SCP附属在root级别即可禁止所有人。

例题：A company uses AWS Organizations with a single OU named Production to manage multiple accounts. All accounts are members of the Production OU. Administrators use deny list SCPs in the root of the organization to manage access to restricted services.
The company recently acquired a new business unit and invited the new unit’s existing AWS account to the organization. Once onboarded, the administrators of the new business unit discovered that they are not able to update existing AWS Config rules to meet the company’s policies.
Which option will allow administrators to make changes and continue to enforce the current policies without introducing additional long-term maintenance?
A. Remove the organization’s root SCPs that limit access to AWS Config. Create AWS Service Catalog products for the company’s standard AWS Config rules and deploy them throughout the organization, including the new account.
B. Create a temporary OU named Onboarding for the new account. Apply an SCP to the Onboarding OU to allow AWS Config actions. Move the new account to the Production OU when adjustments to AWS Config are complete.
C. Convert the organization’s root SCPs from deny list SCPs to allow list SCPs to allow the required services only. Temporarily apply an SCP to the organization’s root that allows AWS Config actions for principals only in the new account.
D. Create a temporary OU named Onboarding for the new account. Apply an SCP to the Onboarding OU to allow AWS Config actions. Move the organization’s root SCP to the Production OU. Move the new account to the Production OU when adjustments to AWS Config are complete.
答案：D
答案解析：题目需要允许新的业务OU能够使用AWS Config ，且不能影响目前的组织权限，并且是不能引入格外的长期维护。A选项会导致原先组织的所有账户都可以使用AWS Config；B选项虽然使用了新的OU并且赋予SCP使用AWS Config权限，但是有一个原先root的SCP是deny的，因此会导致格外的长期维护，因为在root的SCP也会作用于新的OU，最好方式就是将原先root的SCP放到Production OU上面；C选项与A选项犯了同一个错误。因此答案为D。

例题：A company has a large number of AWS accounts in an organization in AWS Organizations. A different business group owns each account. All the AWS accounts are bound by legal compliance requirements that restrict all operations outside the eu-west-2 Region.
The company’s security team has mandated the use of AWS Systems Manager Session Manager across all AWS accounts.
Which solution should a solutions architect recommend to meet these requirements?
A. Create an SCP that denies access to all requests that do not target eu-west-2. Use the NotAction element to exempt global services from the restriction. In AWS Organizations, apply the SCP to the root of the organization.
B. Create an SCP that denies access to all requests that do not target eu-west-2. Use the NotAction element to exempt global services from the restriction. For each AWS account, use the AmNotLike condition key to add the ARN of the IAM role that is associated with the Session Manager instance profile to the condition element of the SCP. In AWS Organizations apply, the SCP to the root of the organization.
C. Create an SCP that denies access to all requests that do not target eu-west-2. Use the NotAction element to exempt global services from the restriction. In AWS Organizations, apply the SCP to the root of the organization. In each AWS account, create an IAM permissions boundary that allows access to the IAM role that is associated with the Session Manager instance profile.
D. For each AWS account, create an IAM permissions boundary that denies access to all requests that do not target eu-west-2. For each AWS account, apply the permissions boundary to the IAM role that is associated with the Session Manager instance profile.
答案：A
答案解析：题目要求限制eu-west-2 Region区域，并且使用到了Systems Manager Session Manager。首先排除C选项，其不能工作，它再次应用于SSM配置文件，它不会授予访问权限；D选项也将无法工作-它只应用于会话管理器。B选项意味着我们将允许SSM ARN角色在所有区域工作。因此只有A选项正确

例题：A large company in Europe plans to migrate its applications to the AWS Cloud. The company uses multiple AWS accounts for various business groups. A data privacy law requires the company to restrict developers’ access to AWS European Regions only.
What should the solutions architect do to meet this requirement with the LEAST amount of management overhead?
A. Create IAM users and IAM groups in each account. Create IAM policies to limit access to non-European Regions. Attach the IAM policies to the IAM groups.
B. Enable AWS Organizations, attach the AWS accounts, and create OUs for European Regions and non-European Regions. Create SCPs to limit access to non-European Regions and attach the policies to the OUs.
C. Set up AWS Single Sign-On and attach AWS accounts. Create permission sets with policies to restrict access to non-European Regions. Create IAM users and IAM groups in each account.
D. Enable AWS Organizations, attach the AWS accounts, and create OUs for European Regions and non-European Regions. Create permission sets with policies to restrict access to non-European Regions. Create IAM users and IAM groups in the primary account.
答案：B
答案解析：参考：https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region

例题：A company uses an organization in AWS Organizations to manage the company’s AWS accounts. The company uses AWS CloudFormation to deploy all infrastructure. A finance team wants to build a chargeback model. The finance team asked each business unit to tag resources by using a predefined list of project values.
When the finance team used the AWS Cost and Usage Report in AWS Cost Explorer and filtered based on project, the team noticed noncompliant project values. The company wants to enforce the use of project tags for new resources.
Which solution will meet these requirements with the LEAST effort?
A. Create a tag policy that contains the allowed project tag values in the organization’s management account. Create an SCP that denies the cloudformation:CreateStack API operation unless a project tag is added. Attach the SCP to each OU.
B. Create a tag policy that contains the allowed project tag values in each OU. Create an SCP that denies the cloudformation:CreateStack API operation unless a project tag is added. Attach the SCP to each OU.
C. Create a tag policy that contains the allowed project tag values in the AWS management account. Create an IAM policy that denies the cloudformation:CreateStack API operation unless a project tag is added. Assign the policy to each user.
D. Use AWS Service Catalog to manage the CloudFormation stacks as products. Use a TagOptions library to control project tag values. Share the portfolio with all OUs that are in the organization.
答案：A
答案解析：题目希望强制给新资源设置规定范围内的tag。B选项的开销比A大，因为在每个OU中创建SCP；C选项在所有帐户是更多的开销；D选项虽然有效果，但没有限制使用CLI创建的其他选项或不带标签的控制台其余服务。因此选择A选项

例题：A company is designing an AWS Organizations structure. The company wants to standardize a process to apply tags across the entire organization. The company will require tags with specific values when a user creates a new resource. Each of the company’s OUs will have unique tag values.
Which solution will meet these requirements?
A. Use an SCP to deny the creation of resources that do not have the required tags. Create a tag policy that includes the tag values that the company has assigned to each OU. Attach the tag policies to the OUs.
B. Use an SCP to deny the creation of resources that do not have the required tags. Create a tag policy that includes the tag values that the company has assigned to each OU. Attach the tag policies to the organization’s management account.
C. Use an SCP to allow the creation of resources only when the resources have the required tags. Create a tag policy that includes the tag values that the company has assigned to each OU. Attach the tag policies to the OUs.
D. Use an SCP to deny the creation of resources that do not have the required tags. Define the list of tags. Attach the SCP to the OUs.
答案：A
答案解析：参考：https://aws.amazon.com/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/

例题：A company uses AWS Organizations to manage more than 1,000 AWS accounts. The company has created a new developer organization. There are 540 developer member accounts that must be moved to the new developer organization. All accounts are set up with all the required information so that each account can be operated as a standalone account.
Which combination of steps should a solutions architect take to move all of the developer accounts to the new developer organization? (Choose three.)
A. Call the MoveAccount operation in the Organizations API from the old organization’s management account to migrate the developer accounts to the new developer organization.
B. From the management account, remove each developer account from the old organization using the RemoveAccountFromOrganization operation in the Organizations API.
C. From each developer account, remove the account from the old organization using the RemoveAccountFromOrganization operation in the Organizations API.
D. Sign in to the new developer organization’s management account and create a placeholder member account that acts as a target for the developer account migration.
E. Call the InviteAccountToOrganization operation in the Organizations API from the new developer organization’s management account to send invitations to the developer accounts.
F. Have each developer sign in to their account and confirm to join the new developer organization.
答案：BDF
答案解析：题目需要将多账号从一个组织迁移到另外一个组织。步骤参考：https://aws.amazon.com/premiumsupport/knowledge-center/organizations-move-accounts/

例题：A company is using AWS Organizations to manage multiple accounts. Due to regulatory requirements, the company wants to restrict specific member accounts to certain AWS Regions, where they are permitted to deploy resources. The resources in the accounts must be tagged, enforced based on a group standard, and centrally managed with minimal configuration.
What should a solutions architect do to meet these requirements?
A. Create an AWS Config rule in the specific member accounts to limit Regions and apply a tag policy.
B. From the AWS Billing and Cost Management console, in the management account, disable Regions for the specific member accounts and apply a tag policy on the root.
C. Associate the specific member accounts with the root. Apply a tag policy and an SCP using conditions to limit Regions.
D. Associate the specific member accounts with a new OU. Apply a tag policy and an SCP using conditions to limit Regions.
答案：D
答案解析：题目要求限制某些账户只能在某些区域部署资源，所有资源强制必须有标记，并且希望集中管理。A选项在特定账户中创建AWS Config就已经没有实现集中管理；B选项同样不提供强制限制或提供集中管理的方法；C选项在root上应用SCP则会所有账户都生效。因此最佳选项是D选项

5 AWS Resource Access Manager

AWS Resource Access Manager(AWS RAM) 可帮助您在组织或组织单位 (OU) 之间AWS 账户安全地共享资源，并与AWS Identity and Access Management (IAM) 角色和用户共享支持的资源类型。如果您有多个AWS 账户，则可以创建一次资源AWS RAM，然后使用该资源供其他账户使用。如果您的账户由管理AWSOrganizations，则可以与组织中的所有其他账户共享资源，也可以仅与一个或多个指定组织单位 (OU) 包含的账户共享资源。您也可以AWS 账户按账户 ID 与特定账户共享，无论该账户是否属于组织。

5.1 可共享资源

可共享资源可以在：https://docs.aws.amazon.com/zh_cn/ram/latest/userguide/shareable.html查阅，下面举考试中经常出现的共享资源：

• VPC
• Transit Gateway
• Route53 Resolver Rules
• license manager configure

例题：A company has 50 AWS accounts that are members of an organization in AWS Organizations. Each account contains multiple VPCs. The company wants to use
AWS Transit Gateway to establish connectivity between the VPCs in each member account. Each time a new member account is created, the company wants to automate the process of creating a new VPC and a transit gateway attachment.
Which combination of steps will meet these requirements? (Choose Two.)
A. From the management account, share the transit gateway with member accounts by using AWS Resource Access Manager.
B. From the management account, share the transit gateway with member accounts by using an AWS Organizations SCP.
C. Launch an AWS CloudFormation stack set from the management account that automatically creates a new VPC and a VPC transit gateway attachment in a member account. Associate the attachment with the transit gateway in the management account by using the transit gateway ID.
D. Launch an AWS CloudFormation stack set from the management account that automatically creates a new VPC and a peering transit gateway attachment in a member account. Share the attachment with the transit gateway in the management account by using a transit gateway service-linked role.
E. From the management account, share the transit gateway with member accounts by using AWS Service Catalog.
答案：AC
答案解析：B选项SCP用于设置权限边界，不用于共享transit gateway；D选项peering transit gateway attachment 用于对等多个传输网关，本题中只需要一个，因此错误。E选项本题需要Resource Access Manager.，而不是AWS Service Catalog.。

例题：A company is designing its network configuration in the AWS Cloud. The company uses AWS Organizations to manage a multi-account setup. The company has three OUs. Each OU contains more than 100 AWS accounts. Each account has a single VPC, and all the VPCs in each OU are in the same AWS Region.
The CIDR ranges for all the AWS accounts do not overlap. The company needs to implement a solution in which VPCs in the same OU can communicate with each other but cannot communicate with VPCs in other OUs.
Which solution will meet these requirements with the LEAST operational overhead?
A. Create an AWS CloudFormation stack set that establishes VPC peering between accounts in each OU. Provision the stack set in each OU.
B. In each OU, create a dedicated networking account that has a single VPC. Share this VPC with all the other accounts in the OU by using AWS Resource Access Manager (AWS RAM). Create a VPC peering connection between the networking account and each account in the OU.
C. Provision a transit gateway in an account in each OU. Share the transit gateway across the organization by using AWS Resource Access Manager (AWS RAM). Create transit gateway VPC attachments for each VPC.
D. In each OU, create a dedicated networking account that has a single VPC. Establish a VPN connection between the networking account and the other accounts in the OU. Use third-party routing software to route transitive traffic between the VPCs.
答案：C
答案解析：题目要求每个OU内的VPC可互通，与其他OU的VPC不同，且最小操作部署。A选项和B选项不支持，因为每个VPC最多支持125个Active VPC的对等连接。在这种情况下，每个OU包含超过100个AWS帐户—这可能意味着101个帐户或10001个帐户。D选项因为这不是操作开销最小的答案选择。vpc之间的可达流量不需要第三方路由软件进行路由。 AWS Resource Access Manager共享才是比较合适的方案。因此选择C选项。

6 AWS Control Tower

Control Tower 按照规范性最佳实践，提供了一种设置和管理AWS多账户环境的简单方法。

6.1 基本特性

• Landing zone
  Landing zone 是基于安全性和合规性最佳实践的精心架构的多账户环境。它是企业级容器，可容纳所有组织单位 (OU)、账户、用户和其他您希望遵守合规监管的资源。

例题：A company wants to migrate to AWS. The company wants to use a multi-account structure with centrally managed access to all accounts and applications. The company also wants to keep the traffic on a private network. Multi-factor authentication (MFA) is required at login, and specific roles are assigned to user groups.
The company must create separate accounts for development. staging, production, and shared network. The production account and the shared network account must have connectivity to all accounts. The development account and the staging account must have access only to each other.
Which combination of steps should a solutions architect take 10 meet these requirements? (Choose three.)
A. Deploy a landing zone environment by using AWS Control Tower. Enroll accounts and invite existing accounts into the resulting organization in AWS Organizations.
B. Enable AWS Security Hub in all accounts to manage cross-account access. Collect findings through AWS CloudTrail to force MFA login.
C. Create transit gateways and transit gateway VPC attachments in each account. Configure appropriate route tables.
D. Set up and enable AWS IAM Identity Center (AWS Single Sign-On). Create appropriate permission sets with required MFA for existing accounts.
E. Enable AWS Control Tower in all accounts to manage routing between accounts. Collect findings through AWS CloudTrail to force MFA login.
F. Create IAM users and groups. Configure MFA for all users. Set up Amazon Cognoto user pools and Identity pools to manage access to accounts and between accounts.
答案：ACD
答案解析：通过Control Tower做安全性和合规性且多账户下的管理是最合适，因此A选项；C选项实现需求的shared network；D选项实现MFA。

例题： A manufacturing company has developed a process to gather factory floor device telemetry. The company uses AWS Control Tower. The company also uses an AWS CloudFormation stack to provision a new VPC for each factory location with a set of containers in Amazon Elastic Container Service (Amazon ECS) and Amazon CloudWatch.
The company is now acquiring another manufacturing company that has geographically remote plants. The company wants to modernize these plants. One of the tasks is to apply the same telemetry-gathering process. The network latency that results from connecting the devices directly to the services in the AWS network is very high which can affect reliability.
How can the company integrate the new plants into the existing architecture?
A. Use AWS Control Tower to create new OUs to add new accounts for the new plants. Deploy the ECS containers and CloudWatch into the accounts
B. Request an AWS Snowball Edge device for the newly acquired plants Connect the device to AWS loT Core and register all the factory floor devices through AWS IoT Core. Map the devices into the existing VPC and connect the devices to the ECS containers
C. Request and install an AWS Outposts server in the newly acquired plants. Within the Outposts server, use the CloudFormation stack to provision required VPC and ECS containers to connect to the devices.Connect to CloudWatch in the AWS Region
D. Use Amazon EC2 Dedicated Instances. Use the CloudFormation stack to provision required VPC and ECS containers. Connect to CloudWatch in the AWS Region.
答案：A
答案解析：题目说新收购公司所在区域采集延迟会比较高，因此最好的解决方案就是在所在区域重新部署一套。要做到部署且权限管理一致，那么选择Control Tower最合适。

例题：A company is expanding. The company plans to separate its resources into hundreds of different AWS accounts in multiple AWS Regions. A solutions architect must recommend a solution that denies access to any operations outside of specifically designated Regions.
Which solution will meet these requirements?
A. Create IAM roles for each account. Create IAM policies with conditional allow permissions that include only approved Regions for the accounts.
B. Create an organization in AWS Organizations. Create IAM users for each account. Attach a policy to each user to block access to Regions where an account cannot deploy infrastructure.
C. Launch an AWS Control Tower landing zone. Create OUs and attach SCPs that deny access to run services outside of the approved Regions.
D. Enable AWS Security Hub in each account. Create controls to specify the Regions where an account can deploy infrastructure.
答案：C
答案解析：题目要求控制资源只能在某个区域操作，并且有上百个AWS账号的。A选项、B选项和D选项都是需要每个账号创建IAM角色或者用户或者Security Hub ，比起C选项统一一个地方创建管理来得复杂，因此选择C选项

• Dashboard

6.2 Account Factory

Account Factory 是一种可配置的账户模板，它有助于使用预先批准的账户配置来标准化新账户的配置。AWS Control Tower 提供了内置的Account Factory，可帮助您在组织中自动执行账户配置工作流程。

6.3 Control（guardrail）

控制是一条高级规则，可为您的整体AWS环境提供持续的治理。它以简明的语言表达。AWS Control Tower 实施预防性、侦查性和主动控制措施，帮助您管理资源并监控不同AWS账户组的合规性。

• 控制行为
  1）预防性 — 预防性控制措施可确保您的账户保持合规性，因为它禁止导致违反政策的操作。预防性控制的状态要么为已执行，要么未启用。所有AWS地区都支持预防性控制。（比如禁止为Root用户创建Access Keys等）
  2）Detective — 侦探控件可检测您账户中资源的违规行为，例如违反政策，并通过控制面板提供警报。侦探控制的状态要么为 “已清除”、“违规” 或 “未启用”。Detective 控制仅适用于 AWS Control Tower 支持的AWS区域。（比如没有被标记的资源）
  3）主动 — 主动控制会在资源配置之前对其进行扫描，并确保资源符合该控制的要求。不合规的资源将不会被置备。
• 控制措施有3种：
  1）强制性：由Control Tower管理并且无法停用
  2）强烈推荐：由 AWS Control Tower 拥有。它们基于架构良好的多账户环境的最佳实践。比如EBS要加密挂载到EC2等
  3）选择性：选择性控制使您能够锁定或跟踪在AWS企业环境中执行通常受限操作的尝试。比如禁止删除没有开启MFA的S3存储桶操作等

例题：A company has an organization in AWS Organizations. The company is using AWS Control Tower to deploy a landing zone for the organization. The company wants to implement governance and policy enforcement. The company must implement a policy that will detect Amazon RDS DB instances that are not encrypted at rest in the company’s production OU.
Which solution will meet this requirement?
A. Turn on mandatory guardrails in AWS Control Tower. Apply the mandatory guardrails to the production OU.
B. Enable the appropriate guardrail from the list of strongly recommended guardrails in AWS Control Tower. Apply the guardrail to the production OU.
C. Use AWS Config to create a new mandatory guardrail. Apply the rule to all accounts in the production OU.
D. Create a custom SCP in AWS Control Tower. Apply the SCP to the production OU.
答案：B
答案解析：题目要求在Control Tower的landing zone检测RDS 未加密。A选项因为强制护栏是AWS预先定义的，无法自定义。C选项因为AWS配置没有为RDS实例提供强制保护。D选项因为AWS控制塔不提供称为自定义SCP(服务控制策略)的功能，而是使用护栏。因此使用Control Tower.的guardrail是最好选择，因此选择B选项

6.4 典型架构

• Detective 模式：检测没有被tagging的用户
  

7 IAM策略的评测逻辑

7.1 ABAC

AWS是的策略模式就是ABAC权限模型。ABAC权限控制模型这方面你可以查一下资料看看，这里罗列一下ABAC的一些主要内容

• 组成：实体属性、环境属性、操作类型、对象属性
• 关键字“属性”，什么是属性。在ABAC中有3种属性，实体属性（比如用户实体的年龄、性别、职位、部门等）、环境属性（时间、地点等）、对象属性（标签等）。下面举个例子：
  比如年龄55岁男性员工以上可以2023年12月31号之前可以签署提前退休协议。
  其中“年龄”、“55岁”是实体属性，“2023年12月31号之前”是环境属性，“签署”是操作类型、“提前退休协议”是对象或对象属性。
• 关键字“动态”，其判断权限是动态判断，简单来说就是将策略都拿出来判断是否符合当前用户，这其中的判断包括用户属性、环境属性、对象属性等，如果符合就有该判断策略赋予的操作权限。
• AWS与ABAC的对应关系，可以简单理解：实体属性（Principle）、环境属性（Condition）、操作类型（Effect和Action）、对象属性（Resource）

7.2 IAM策略的评测逻辑

除了上面的ABAC权限模型之外，还需要一套评测逻辑，就是一套策略中多个策略哪些先后，多套策略哪些先后的问题，下面是AWS官方网上面的判断权限先后流程：

参考链接：https://docs.aws.amazon.com/zh_cn/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

8 考试中权限相关的解决方案

例题：A company is running an application in the AWS Cloud. The company’s security team must approve the creation of all new IAM users. When a new IAM user is created, all access for the user must be removed automatically. The security team must then receive a notification to approve the user. The company has a multi-
Region AWS CloudTrail trail in the AWS account.
Which combination of steps will meet these requirements? (Choose three.)
A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule. Define a pattern with the detail-type value set to AWS API Call via CloudTrail and an eventName of CreateUser.
B. Configure CloudTrail to send a notification for the CreateUser event to an Amazon Simple Notification Service (Amazon SNS) topic.
C. Invoke a container that runs in Amazon Elastic Container Service (Amazon ECS) with AWS Fargate technology to remove access.
D. Invoke an AWS Step Functions state machine to remove access.
E. Use Amazon Simple Notification Service (Amazon SNS) to notify the security team.
F. Use Amazon Pinpoint to notify the security team.
答案：ADE
答案解析：B选项配置CloudTrail向Amazon SNS主题发送通知是获得某些事件通知的好方法，但在这种情况下，这不是必要的，因为CloudTrail事件已经被EventBridge规则捕获了。C选项使用AWS Fargate技术调用运行在Amazon Elastic container Service (Amazon ECS)中的容器来移除访问。这是删除访问的另一种方法，但在本例中不是必需的，因为AWS Step Functions是一个可用于创建和运行状态机的托管服务，因此它具有删除访问的功能。F选项使用Amazon Pinpoint通知安全团队是另一种通知团队的方式，但在这种情况下不是必需的，因为SNS已经足够满足此要求。因此答案ADE。

例题：A company uses AWS Organizations for a multi-account setup in the AWS Cloud. The company uses AWS Control Tower for governance and uses AWS Transit Gateway for VPC connectivity across accounts.
In an AWS application account, the company’s application team has deployed a web application that uses AWS Lambda and Amazon RDS. The company’s database administrators have a separate DBA account and use the account to centrally manage all the databases across the organization. The database administrators use an Amazon EC2 instance that is deployed in the DBA account to access an RDS database that is deployed in the application account.
The application team has stored the database credentials as secrets in AWS Secrets Manager in the application account. The application team is manually sharing the secrets with the database administrators. The secrets are encrypted by the default AWS managed key for Secrets Manager in the application account. A solutions architect needs to implement a solution that gives the database administrators access to the database and eliminates the need to manually share the secrets.
Which solution will meet these requirements?
A. Use AWS Resource Access Manager (AWS RAM) to share the secrets from the application account with the DBA account. In the DBA account, create an IAM role that is named DBA-Admin. Grant the role the required permissions to access the shared secrets. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.
B. In the application account, create an IAM role that is named DBA-Secret. Grant the role the required permissions to access the secrets. In the DBA account, create an IAM role that is named DBA-Admin. Grant the DBA-Admin role the required permissions to assume the DBA-Secret role in the application account. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.
C. In the DBA account, create an IAM role that is named DBA-Admin. Grant the role the required permissions to access the secrets and the default AWS managed key in the application account. In the application account, attach resource-based policies to the key to allow access from the DBA account. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.
D. In the DBA account, create an IAM role that is named DBA-Admin. Grant the role the required permissions to access the secrets in the application account. Attach an SCP to the application account to allow access to the secrets from the DBA account. Attach the DBA-Admin role to the EC2 instance for access to the cross-account secrets.
答案：B
答案解析：参考https://aws.amazon.com/cn/blogs/database/design-patterns-to-access-cross-account-secrets-stored-in-aws-secrets-manager/

例题：AnyCompany has acquired numerous companies over the past few years. The CIO for AnyCompany would like to keep the resources for each acquired company separate. The CIO also would like to enforce a chargeback model where each company pays for the AWS services it uses.
The Solutions Architect is tasked with designing an AWS architecture that allows AnyCompany to achieve the following:
– Implementing a detailed chargeback mechanism to ensure that each company pays for the resources it uses.
– AnyCompany can pay for AWS services for all its companies through a single invoice.
– Developers in each acquired company have access to resources in their company only.
– Developers in an acquired company should not be able to affect resources in their company only.
– A single identity store is used to authenticate Developers across all companies.
Which of the following approaches would meet these requirements? (Choose two.)
A. Create a multi-account strategy with an account per company. Use consolidated billing to ensure that AnyCompany needs to pay a single bill only.
B. Create a multi-account strategy with a virtual private cloud (VPC) for each company. Reduce impact across companies by not creating any VPC peering links. As everything is in a single account, there will be a single invoice. Use tagging to create a detailed bill for each company.
C. Create IAM users for each Developer in the account to which they require access. Create policies that allow the users access to all resources in that account. Attach the policies to the IAM user.
D. Create a federated identity store against the company’s Active Directory. Create IAM roles with appropriate permissions and set the trust relationships with AWS and the identity store. Use AWS STS to grant users access based on the groups they belong to in the identity store.
E. Create a multi-account strategy with an account per company. For billing purposes, use a tagging solution that uses a tag to identify the company that creates each resource.
答案：AD
答案解析：B选项VPC是不够的，每个公司需要一个单独的账户。C选项IAM是基于每个帐户的，因此不满足“单一身份存储”。E选项综合帐单是这部分的正确答案。因此选择AD。

例题：A company is running applications on AWS in a multi-account environment. The company’s sales team and marketing team use separate AWS accounts in AWS Organizations.
The sales team stores petabytes of data in an Amazon S3 bucket. The marketing team uses Amazon QuickSight for data visualizations. The marketing team needs access to data that the sates team stores in the S3 bucket. The company has encrypted the S3 bucket with an AWS Key Management Service (AWS KMS) key. The marketing team has already created the IAM service role for QuickSight to provide QuickSight access in the marketing AWS account. The company needs a solution that will provide secure access to the data in the S3 bucket across AWS accounts.
Which solution will meet these requirements with the LEAST operational overhead?
A. Create a new S3 bucket in the marketing account. Create an S3 replication rule in the sales account to copy the objects to the new S3 bucket in the marketing account. Update the QuickSight permissions in the marketing account to grant access to the new S3 bucket.
B. Create an SCP to grant access to the S3 bucket to the marketing account. Use AWS Resource Access Manager (AWS RAM) to share the KMS key from the sates account with the marketing account. Update the QuickSight permissions in the marketing account to grant access to the S3 bucket.
C. Update the S3 bucket policy in the marketing account to grant access to the QuickSight role. Create a KMS grant for the encryption key that is used in the S3 bucket. Grant decrypt access to the QuickSight role. Update the QuickSight permissions in the marketing account to grant access to the S3 bucket.
D. Create an IAM role in the sales account and grant access to the S3 bucket. From the marketing account, assume the IAM role in the sales account to access the S3 bucket. Update the QuickSight rote, to create a trust relationship with the new IAM role in the sales account.
答案：D
答案解析：题目要求营销团队的QuickSight 能够使用KMS提供的key访问销售团队的S3，并且LEAST operational overhead。A选项通过复制S3到营销团队会增加存储成本。B选项没有提供在帐户之间共享KMS密钥的安全方式，而且它会创建不必要的数据重复并增加存储成本。C选项因为销售团队的S3桶位于不同的帐户中，因此营销团队无法更新销售团队的S3桶上的策略。因此正确选择D选项

例题：A company needs to create and manage multiple AWS accounts for a number of departments from a central location. The security team requires read-only access to all accounts from its own AWS account. The company is using AWS Organizations and created an account for the security team.
How should a solutions architect meet these requirements?
A. Use the OrganizationAccountAccessRole IAM role to create a new IAM policy with read-only access in each member account. Establish a trust relationship between the IAM policy in each member account and the security account. Ask the security team to use the IAM policy to gain access.
B. Use the OrganizationAccountAccessRole IAM role to create a new IAM role with read-only access in each member account. Establish a trust relationship between the IAM role in each member account and the security account. Ask the security team to use the IAM role to gain access.
C. Ask the security team to use AWS Security Token Service (AWS STS) to call the AssumeRole API for the OrganizationAccountAccessRole IAM role in the management account from the security account. Use the generated temporary credentials to gain access.
D. Ask the security team to use AWS Security Token Service (AWS STS) to call the AssumeRole API for the OrganizationAccountAccessRole IAM role in the member account from the security account. Use the generated temporary credentials to gain access.
答案：B
答案解析：题目要求统一在一个地方管理多个账户，并且能让安全团队以只读方式访问其它账户。需要跨账号授权，那么使用IAM或者STS都可以，区别在于IAM的跨账号role是一种较为稳定长期的授权，而STS是一种临时授权，题目中明确安全团队需要在其它账户只读角色权限，那么使用IAM更合适，因此排除掉C选项和D选项。A选中创建策略并没有创建Role，因此不正确。所以选择B选项

例题：A company manages hundreds of AWS accounts centrally in an organization in AWS Organizations. The company recently started to allow product teams to create and manage their own S3 access points in their accounts. The S3 access points can be accessed only within VPCs, not on the Internet.
What is the MOST operationally efficient way to enforce this requirement?
A. Set the S3 access point resource policy to deny the s3:CreateAccessPoint action unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
B. Create an SCP at the root level in the organization to deny the s3:CreateAccessPoint action unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
C. Use AWS CloudFormation StackSets to create a new IAM policy in each AWS account that allows the s3:CreateAccessPoint action only if the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
D. Set the S3 bucket policy to deny the s3:CreateAccessPoint action unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
答案：B
答案解析：参考：https://aws.amazon.com/s3/features/access-points/