all right all right so um the past two classes we've been looking at um security mainly touching all of the advance security tools that AWS offers and um those security tools are splitted into into categories right because when you want to think about how you are going to implement these tools you want to think about all of the vulnerable points in the AWS platform that you know can be exploited so we looked at let me share my screen I just want to give a rundown or a recap of what we looked at last week can everyone see my screen yeah yeah yes yes awesome so we we we looked at entry level tools or entry point tools we talked about all of the tools that were at the entry point such as I am identity Center and then we looked at detect Ive tools that are meant to basically help detect vulnerabilities in your AWS environment detect B basically inspect your environment and try to tell you what has happened so these def detective tools they come after the fact they detect something that has happened only after it has happened then we went ahead and we looked at infrastructure Pro uh infrastructure protection infrastructure protection where we talked about things like firewall manager we talked about things like AWS Shield AWS W and and systems manager and all of all of those because it helps to protect your infrastructure and try to prevent um and bad things from happening in your environment and then we looked at data protection where we talked about KMS we talked about ACM we talked about some certificate Authority we talked about Secrets manager we talked about how you encrypt your data and then one last thing that I wanted us to touch on for data protection was Amazon Macy Amazon Macy and Amazon Macy is basically um a service that AWS offers that helps you helps to basically detect confidential personally identifiable information that you are storing in your data sources so let's say for example you put um you collect big data or collect data and put store that data in um an S3 bucket for example and when you use Amazon Messi Amazon Messi would basically help to identify all of those sensitive data that you have in your S3 bucket and it happens multiple times where organizations that deal with sensitive data they will be collecting data from different data sources and once they collect all of these data they download data in an S3 bucket and multiple people can have access to that data in that S3 bucket which could be a violation because the data can be exploited if there are sensitive data in it for example Social Security date of birth all of those sensitive data so when you implement Amazon Macy in your environment it helps to automatically discover and protect the sensitive datas for you okay so it doesn't just Discover it but he goes ahead and discovers it and then it tries to protect it protects the data for you it highlights it for you and it has a whole process that you you implement it because it uses Arial intelligence I mean uses machine learning to um continuously monitor your data as the data is coming in from the different data sources we do have a run book for Amazon Macy which I'm going to share that run book with you with you all so that in your small group you can work on the Run book and just implement it now I have used Amazon Macy you you typically use this service if you find yourself in an environment where you're working as a security architect or as a security person so it's it's a service that's meant for the security team if you're not part of the security team if you're just part of the devops team or you're part of the operations team you not necessarily use Amazon Macy but it will be implemented in your environment to help detect sensitive data in in the data storage that that the company is using so I I this this run book when you implement this run book it will basically help you to understand how the service works and it can help you even when you get into an environment where your task with implement in that service okay so when you guys have when you guys are in your small groups try to take some time and just Implement um Amazon Macy as well so let's talk about it Amazon let's define it Amazon masing so Amazon masing helps to let me say uses use this machine learning to automatically discover classify and protect sensitive data such as pii which is stored in AWS okay so it automatically classifies the data when you the data is first of all get into AWS Macy would classify it and then it's going to take its time to understand data and then if you finds that within that data there's some Pi personally identifiable information in it it's not taking steps and these are steps that you have already pre Prem mentioned when you're setting it up so it takes those steps to encrypt or to protect that data so that the data cannot be be accessed by by external third party or the the data cannot be easily Trapped By by Third parties so it's a really powerful tool and the beautiful thing about B is that a BL has does a lot of the work in the background for you you don't necessarily have to do anything once you set up Amazon Macy and you you can use an any form of automation such as um Lambda that would basically say okay if you discover this data in this in this S3 bucket then take this following steps to protect the data it helps a lot of companies especially when you're working for companies that have to comply with things like um gdpr or Hippa those companies will you see that they use Amazon mayy a lot to protect all of these um data sensitive data in in the customers environment so I would I would go ahead and and share share the Run book with you guys so that you can implement it and then if you have any questions on it you can bring it in our next slass and then we'll talk about it okay that was the last piece of data protection that I wanted us to talk about after data protection we have another category in inse security that focuses on incident res incident response incident response and incident response is very very important because it helps to prepare your systems prepare individuals prepare the security team to to automatically detect and respond to incident when they happen you can enable all of these security tools but if you don't have an incident response plan it will become very very difficult for you to have um a system or a process in place that can e easily respond to an incident by the time you want to respond to an incident it must have already um um gotten into your environment and even gotten into the higher environment of your of the company so when you have a very good incident response plan it helps to protect the environment and make sure that if even if you your your your even if you have a security incident the the the impact is not so bad on the organization okay so when as far as incident response is concerned there are some tools that you have to think about okay for example Amazon event Bridge Amazon event Bridge Amazon event Bridge basic Ally helps to connect applications that are doing different things it has an an an event architecture that tracks all of the events that are happening in your environment and you can use that to build different automations okay say for example you can say if somebody opens sport 22 to the general public in the environment then it should trigger certain things to happen now in order for those those other things to happen event Bridge has to detect that Port 22 has been open on this um um is2 instance for it to trigger a Lambda function to do other things so it is basically that service event bridge is that service that enables your incident response to be automated okay it helps it's not a it's not a security tool per se but it's a service that basically helps to enabl your I'll would say enable the automation of your incident response plan incident response plan okay that's what event Bridge does because you see that even in cases where it's not security related you still use the vent Bridge you still use vent Bridge you can still say certain things should be triggered if somebody's if somebody drops an an object in an S3 bucket it will create an event you have a Lambda function that will take the object and analyze it and distribute the object to different environments that's not a security incident but it's basically an automated operational process that is using event Bridge so that's why I'm saying that event bridge is not a security service per se but it helps in incident response because it helps to make it make things automated and then we we have a service Amazon Detective Amazon Amazon detective Amazon detective is a service that helps to investigate look at the word detective what's a detective doing so Amazon tries to name its services or its products closer to to make it very relatable to things that we know so Amazon detective helps to investigate and analyze the root cause of security issues okay it helps to investigate and analyze the root cause of security issues the root cause of security issues now this is a really good tool because two years ago a company I worked for had a security incident and we needed to do what we call RCA RCA means root cost analysis and so it took us long time of looking into to logs and trying to analyze logs and all of those things to be able to know exactly what happened what caused that security incident but now when you have Amazon detective already enabled in your environment you can easily automate your incident response plan you can easily automate your incident response plan because with Detective it will automatically collect the data analyze the data and try to put the data in a way that when you come you just read it and you understand what has happened it can even Vis give you a visual analysis of everything that happened so it's really a good tool to incorporate in your incident response plan okay and then we have tools like aw as backup a and Disaster Recovery Service these are basic tools that helps to ensure that even if you have a business an incident even if you have an incident you will still have business continuity en uh business continuity because of these tools okay so I'm talking about AWS backup we've talked about AWS backup before and then we have another to that's called AWS elastic disaster Recovery Service okay AWS elastic Disaster Recovery Service AWS elastic Disaster Recovery Service it's dis Recovery Services it's it's a tool that you set it up as part of your D strategy that when you have a disaster you can easily just use it to recover from the disaster okay it enables you to quickly recover when you have a disaster backups enables you to backup everything that you need to make sure that you have a copy of your data stalled in another region using AWS backup so these are not security tools per se but they are meant to ensure business con continuity they are meant to ensure business continuity in case of an incident in case of an incident okay in case of an incident in case of an incident so if you want to look at a scenario where you would you would you would when you have an incident response plan in place it can easily help you is let's say that you work for an organization that is handling sensitive customer data right you work for an organization that's handling sensitive customer data right so one day a suspicious activity happens in an inci instance a suspicious activity happens in an E2 instance when you're using all of these security tool or some most of the security tools that I've mentioned if you're using a tool like G Duty guard Duty would basically be able to detect that something has happened on that E2 instance so we have guard duty to detect that a suspicious activity has happened on the ac2 instance say so for example somebody is trying to to get into your environment with a malous IP address okay now this because this is going to lead to unauthorized access of customer sensitive data God Duty will detect that suspicious activity okay so God Duty detects let me let me say what what happens first is a malicious IP is trying to access customer sensitive data on ec2 okay so the first thing is guard Duty will detect the suspicious activity Okay g Duty will detect the suspicious activity and he will send an alert okay and he will send out an alert to event Bridge Okay event bridge will will trigger a Lambda function event with bridge will trigger a Lambda function that will block the IP address via Security Group rules this is just a simple example then once that happens Amazon detective will start doing its work Amazon detective will analyze the instance okay Amazon detective will analyze the instance he wants to gather more information on where that IP address is coming from he wants to look at things like cloud trail locks he want to look at the data that has already been com compromised on the E2 instance he want to look at he's doing a root C analysis to understand exactly what what happened and the impact he wants to understand the impact of the the the the the incident what happened and the impact how what what amount of dat data on that instance has been compromised and then while all of that is happening you already have your data that's backed up using AWS back up you have so backed up data is in AWS backup and then event bridge will send a [Music] notification via slack to the security team channel to the security team Channel okay and then now while all of that is happening you can use elastic you can use elastic Disaster Recovery Service to recover any compromised service okay or any compromise to if an application is compromised you already have that back up in the elastic disaster in elastic Disaster Recovery Service so that you can easily recover from that now typically most organizations they always have someone someone in the security team will always be on call okay now if you're on call when when you receive that security incident on slack you'll be the one now to start responding to that incident but what happens is when you have a structured incident response plan in place it makes it really easy for you to respond when there is a disaster okay as opposed to the security team going in now to stand looking at the logs and try to understand what happened where where did it happen which other services are compromised detective has already done majority of the work for you gathered all of the necessary information put the information in one place for you to just come in and absorb the information and try to think of or write a report of the incident that happened so it makes things really easy when when you have a disaster recovery um incident response plan in place okay all right let me take questions M oh hello Pro um in in um with this particular scenario I just wanted to know if let's say um a hacker sort of hacks into Network are there like tools to for us to sort of use to just destroy the entire network and sort of back it up from our backup yeah yes so all of those things can be engineered okay you can you can you can engineer a process where if somebody hacks into your environment you completely shut down the environment but now you need to think about business impact you need to think about recovery if you are shutting down environment how long does it take for you to spin up a new environment and reroute DNS to that new environment all of those things have to be factored before you say okay I'm going to shut down the environment if we have an incident okay does that answer your question my it does thanks welcome well uh uh please can you help me on the differ between the AWS backup and the elastic D because I thought the backup automated process of backing up like the servers right and then with the with the elas it also you can use it to backup servers right so I want to a different then secondly my question one of the incident response plan in the scenario you just gave that when a malicious IP has assess the environment to assess sensitive information now you you you give a very powerful scenario and one of it is that uh a Lambda function uh will can can block the IP address via the security group role security group role now my issue is the fact that a malicious IP is already assessing the environment to take hold on information it means already there is already a security uh maybe Port that was open right to that IP to exploit right so is it that the Lambda function now is going to close that port or is it that the Lambda function the solution would be that LDA function will set in like a w like the W that we did in the last class to Black liard IP that has been identified so that's my question so it it the truth is that it depends okay when you're writing your Lambda Lambda is one of those Dynamic things that you can write it to do anything that you want it to do okay you can write it to block anything that comes that is R is red flag from God Duty because you know that God duty is meant to basically detect things that are happening in your en environment that are not supposed to happen so if anything that's happening from God Duty or maybe within guard Duty you have highlighted the key things that you know that will be a red flag and so if that the fact that that that that incident has been detected by God Duty first and then event breach is notifying Lambda you can write your Lambda in such a way that it automatically reacts to it because it's coming from God Duty okay and you can do two things you can write in a way that it creates a wife rule to block that IP or you can write it to create a security group rule to block block the IP as well but now with security groups you're saying we're looking at you look at Security Group there's a difference between Security Group and one because security groups is blocking is a firewall at the level of the instance but W has excuse me W is more higher than Security Group so you can choose to say okay I don't want to just block the the application I don't I don't want to just focus on the instance I want to focus on the whole environment and then the that function will automatically block it at the level of w you can do either of it this scenario is just an example okay and then to your question on elastic Disaster Recovery Service and backups so you can use backups to back take EBS snapshots okay let's say in this case your the only in the only thing that was compromised was your instance when you're short when that instance is compromised and you shut down the instance then AWS backup will be the best tool to use because you just use the evb snapshot that you have backed up and stored in another region to restore it to create an Emi and then to to restore it to a new ex to instance but now if the level of um the if if if one has been compromised goes beyond a single is2 instance let's say it goes to the level of your is instance multiple applications being compromised then elastic Disaster Recovery would be the best tool to use because you can easily recover multiple applications in the case of a disaster okay and the Beautiful Thing with elastic Disaster Recovery is that it has this continuous replication that's going on then if an incident happens you can easily shut it down at that point and then you recover everything that has been replicated okay Bas based on what you set it up so those two tools really depends on the scenario what I gave you was a high level step of an a simple incident response plan but now if assuming that we are all part of a security team and we're trying to draft an incident response plan it would definitely go more deeper than what than what I just listed okay what we have will just be the high level and they will start diving deep into the different scenarios into the different scenarios and how we want want to respond to the different incidents that happened okay yes P thanks very much you're welcome Victor yes hi um I have two questions one of them is just uh I'm thinking if if if if a a bad actor actually has gotten to the instance level into in our in our VPC in our environment there isn't that a significant failure of all the the the the checkpoints that we've put starting from the outside in um things like uh you know uh WF right out there the inspector that is supposed to do vulnerability scanning and and find where the potholes are and and then when we now get to the level of the ec2 um you mentioned the use of um um what's it called uh security groups I thought security groups were basically block everything first and then open certain ports to to get things in I thought I thought that was the concept of a security group nothing is open basically until you allow stuff to come in so for an actor to have reached that point then it's it's a gross failure of our security network so many things can happen for something like that to happen Okay so many things can happen uh and I've seen different scenarios um in some scenario it's somebody that is very new to AWS that um was trying to test something that just went ahead and opened the port and said Okay I I just want to test this thing and then after that I'm going to close it back and then when you test it and then you completely forgot actually the incident that happened that AWS had to be brought into it was because there was someone in the company that has been in that company for 19 years and the person has been working on premise and the company is just trans studing their AWS so they want everybody in the company to get AWS training as fast as possible so they create they give everybody all the accesses that they need to the AWS environment and people were just trying and testing different things in the process of learning AWS now this guy went into the active live environment and he was trying to test something there and went ahead and opened a port to the general public and opened the uh um um um the the um the made the subnet to become a public subnet because he he just wanted to get it to work and then he can start being he can start narrowing down and closing all of the ports that he opened but now he forgot completely forgot to do that and it was a Friday on Saturday the security incident happened on Saturday night break and Sunday and that's when AWS notified the company and say okay we see a suspicious activity they didn't have guard Duty or any of those things open we see a suspicious activity in your environment and it's a Sunday so we want to check if you intended to do this thing then disregard our communication and that's when everybody was called into the team was a whole security incident they had to shut down the whole environment like literally they had to close the accounts and went ahead and opened new account the good thing is that they had everything belt in code at that time so they just used the terraform to deploy it into new account but it took a while for them to to fully recover from that wow okay different different scenarios can happen that can lead to those things you can have all especially if it's a new company that is still still trying to gain their bearings on AWS is it possible like this scenario that Victor has given is it possible that all the security group they is everything is well fortified right but two maybe fishing an email right you thought is from your organization you just click the link can it open your environment you know to to hackers I would tell you that hackers get creative every blessed day okay they can write a script that can do multiple things in your environment I don't know if you can receive an email and then that email would lead to you getting it will get into your a BL environment but it's things are possible it's things are possible because hackers are getting creative but Mo most of the time those any any form of vulnerability that gets into your AWS environment will be tied to a door being open in some way okay it could be through an E2 instance through a port or it could be through your your your your credentials being comprom or it could be through code that you have pushed to a repository in GitHub and that that code con contains some sensitive information and that information is not encrypted okay so any anything can happen and that's why the has all of these security tools and they keep keep creating more many more security tools every day to make sure that you you your companies will use them to make the environments more secure all right any other question Robinson yes momam can you hear me hello yeah we can hear you yes I wanted to ask with all these tools available is there still a need with um to work with the cyber security assistant so yes those the what what you should know is that these tools are focused on AWS environment and if you look at it for the most part they are mostly around um focusing on AWS now cyber security would come in when depending on the complexity of the application and the complexity of the data that they're using and also if it's a hybrid environment so in some cases organizations will have majority of their workloads in different platforms and so the C cyber security analy will be there to do further analysis on all of these other tools and sometimes it's because for example Amazon detective Amazon detective is a service that a lot of companies have not used it because don't know how that they haven't the new it's it's not it's not a very old service it's a new service and before Amazon detective they've been using other things and that's what the cyber security analyst has been doing so aws's job is to try to remove all of remove um the manual process of analyzing of these things and create it as a service so that you can just consume it but if a company has still has hybrid Footprints they'll still want to use the Amazon detective I mean they still want to use their cyber security to do to do the things for them or things that they have view the the used to it make sense it makes sense thank you very much all right Emma go ahead and then we can proceed yeah I just wanted to um ask how expensive are these these tools are they free tools to use or how much is it that like if you were to get even all of them is is that going to break the bank for a company so AWS has a way that cost is driven on the platform if you see a tool that uses AI it means that tool is powered by some computer they know that there's some cost Associated to that if you see a tool that does some work maybe analysis or something know that that tool is has some cost in it okay so I think I mentioned this three main cost drivers on AWS data transfer compute and storage data transfer compute and storage so now most of these Serv services that AWS offers they are being powered by some computer that's doing the work in the background when that thing happens they know that there's some cost involved some of them some most of security and governance tools are free but if you have any of those tools that has some compute or it's storing some data in S3 then know that there'll be some cost in for for example Cloud trailer is free free Cloud watch is free you only pay for the logs that are being stored but the service itself is free VPC Security Group sub all of those things are completely free okay so you'll depend on on on on the service and if you want to know the exact cost you can go to the AWS documentation because most of the time when you are recommending these services to to clients they will ask you how much is this going to cost me okay one is the average cost per month so an AWS has all of that documented by region so if you're using um California servic are more expensive in California than in a place like Virginia all right so let's move on um now as companies begin to skill on the AWS platform right typically a company would start let's assume that you want to start a business today let let's assume that you want to start a business the first thing that you want to host your application on AWS the first thing is you go to the AWS platform you create a single account you you create a single account and then you probably on that in that account you create an ec2 instance you create a database and then you host your application on the ac2 instance and you start sharing your application IP or or your instance IP or you start sharing IP for for customers to start reaching your instance or your application but now as time goes on and let's assume that the product that you're selling is something that people like so many people like so many more people are purchasing your product you see the need to scale you see the need to scale you can start scaling by saying that okay one is two instance is not enough and I'm going to add more I'm going to add more and then you start adding more services like an Autos scaling group into it and then you start adding more governance and monitoring services to make sure that your monitoring your environment well and then it doesn't just end there you may say okay we need a devops person we need an operations person to come and help to make sure that our environment is functioning properly so you start hiring more people to work for you for that Organization for your company and then after a while you realize that one account is not enough maybe when I started I had just one E2 instance and I was using that E2 instance to host my live application on it but as I'm scaling and as my business is growing I decided to say okay within that account I will have one VPC and I'll call that VPC my test VPC and then I'll have another VPC and I'll call it my production VPC so if I want to test something I'll come to vpc1 I'll test it and if it works fine then I'll go I'll push it into VPC 2 and I'll implement it and so my running applications are coming from here but like I said as you're scaling you're hiring more people for your company your customer base is also increasing which means that when you started with let's say you had just about 50 customers but down the road your customers based customer based house increased to maybe 500 customers your business is growing you'll see the need to move from one single account to multiple accounts so you say okay I'm going to have a whole account that will be my Dev environment and then I'm going to have another account that will be my test environment and then I'll have another account that will be my pre-production environment and then I'll have another account that would be my production environment it's not like this is going to cost you anything these accounts are free it just helps you to having multiple accounts helps you to structure your environment in a way that's cleaner that you know that you can isolate different environments from from one environment from the other makes things very very easy okay because when you isolate this environment if somebody compromises your Dev environment you know that okay only my Dev environment is compromised unlike before when you had two vpcs both Dev and PR in the same account if somebody if a hacker gets into this account you cannot tell what level of impact it has on your production environment so you'll be forced to shut down the whole environment but when you have this architect something like this it becomes really easy because your environment is all is isolated if the dev environment is compromised only the dev environment is compromised if the pre-production environment is compromised only the pre-production environment is compromised if the test is compromised only that is compromised you know that you can you can clearly say that okay my production environment has not been compromised yet okay so this is what we call this is what we call multi account structure okay so as businesses begin to scale they see the need to move from a single account structure to a multiac structure the see the need to move from a single account structure to a multi account structure why because the multi account structure gives you the ability to isolate to create strong boundaries between your environment and reduces any form of incident or accidental cross environment interactions between environments okay you can say that only a group of people have access to production the remaining people will have access to the lower environment okay and it helps a lot to keep things cleaner in your environment now managing multiple AWS accounts individually can be very challenging managing AWS accounts individually when you have a multi account structure can be very challenging it's very time consuming and it's erop okay and I'll give you the reasons why I say so let's say that you have four accounts you have a Dev account you have a test account you have a prepro account and you have a prod account let's assume that your manager decides that we want to have a specific account for to host our security tools we want to have a specific account to host our security tools that account where we'll set up all of our security tools guard Duty inspect all of those things we want a specific account config all of those things now when you want to create that account when you want to create that account you need to go through the same process that we went through when we were creating those account our accounts you go to AWS website you log into it you put in your name your email address your home address your credit card number you verify it and then you create it and then if you decided that you want to add another account for devops tools you need to go through the same process you decide that you need to have another account for your networking tools you go through the same process you decide that I want to add another environment let's say before I deploy to production I want to Stage it first so you need a staging account you go through the same process so just imagine if an organization has to scill and go up to the level of having 500 accounts going through this process of creating accounts individually can be very exhausting and time consuming okay so that is one of the challenges of having a multiac account structure where you're managing your account individually managing can I ask can I ask a quick question one second individually with a multi account structure is [Music] challenging because one account creation the process of creating accounts is time consuming especially if you have to scale to 500 account just imagine you entering your credit card number 500 times it's it's a lot of work and it's it's very challenging because you would not be able to give your credit card information to other people to create that account he has to go through one process one person and it's very timec consuming and in second thing which is the most CH one of the most challenging is policy enforcement policy enforcement when you have a multi account structure to enforce policy across all of those different accounts can be very challenging because you need to create let's assume that you're using IM users you need to create IM am users in all of these different accounts it's a whole lot of work when you're doing that account to on an account to account basis okay third thing billing when you're managing your accounts individually in a multi account account structure it means that AWS is going to be billing individually so it means that every month if you have 50 accounts you'll be getting 50 AWS bills and that's a hassle it's a hustle for your billing team or for your Finance team to be able to um to be able to understand your awsb analyze AWS bills and be able to allocate the cost efficiently it's a whole lot of work and added to this billing added to this separate billing we have loss of discounts loss of discounts because awf has a process where it says that if you use up to 50 gigabytes of storage a month I'll give you 20% off for example so if a is saying a can say that okay I'm charging $5 for 10 gigabytes of storage but if you use 20 Gigabytes within the same months I will give you $7 for 20 gigaby of storage okay so even though they're charging five they can give you $7 so this means that you're saving $3 okay now when you have a multi account account structure a multi it's a multi account structure because you still have multiple accounts you have your environment segregated into multi multiple accounts and that's why we call it a multi account structure when you have that multi account structure but you're managing your accounts individually you lost this discount because even if your Dev environment let's assume that your Dev environment has 10 GB of storage consumes 10 GB of storage your test environment consumes 5 GB of storage your prepro consumes 7 gabt of storage your prod consumes 15 GB of storage even though when you add add these up it goes above 20 Gigabytes AWS will still charge you at $5 for every 5 gigaby of storage because you'll not be able to get the discounts because you have you are not managing all of these accounts together your your you're handling them individually okay and I've seen multiple cases where companies are handling managing their account individually because they don't want to for for re for different reasons so an so AWS has a service that is called AWS organization AWS organization AWS organization and AWS organization is meant to help you manage your multi account structure like a single environment or like a single put them all together and manage them together with AWS organization things will change all of these disadvantages that I mentioned here are going to change let's take them one after the other the first one says that the process of creating account is timec consuming it's time consuming without AWS organization because you're doing it manually but with AWS organization with AWS organization account creation is done programmatically so with AWS organization account creation is done programmatically account creation is done programmatically so this means that as opposed to you going to the AWS website and go put in your name your first name your last name your email address your your credit card number your home address and then you verify and all of those things you just go into the AWS organization console and all you need to do is give your account name that's the name you want to call the account give your email address because every account is tied to a new email address give your email address and that's it and AWS organization would launch the new account for you so account Creation with AWS organization is very easy if you want to create if you want to create 500 accounts you can create 500 accounts within the next five minutes all you need to do is to just have the 500 email addresses that you need to tie to the 500 account that's it it happens programmatically for you and make things really easy so it saves a lot of time with AWS organization the second thing that AWS organization brings to the table is centralized management centralized management now when you're using AWS organization there's a structure there's a structure that it gives you you have what we call the management account you have what we call the management account the management account is the account that you set up AWS organization in that account becomes the management account and then every new account that you create from AWS organization you call it the member account okay so let's say I have my management account and then I want to create my new account I'll call it the dev Dev is the member account so Dev account test account production account okay so this is the management account and these are all member accounts in blue so that's why when when I say that it gives you centralized management it means that the management account has control over the member accounts the management account can decide what the member account should do and should not do if the management account doesn't want the de environment to have access to S3 the management account can block the dev environment from having access meaning that you cannot even create an S3 bucket if the management account doesn't want you to create resources without tax it can block you from doing that okay that's what I mean by centralized management the management account can decide and say okay you I I'm giving this Dev account $500 a month to spend on your AWS bill when you go beyond $500 a month then you're not able to create any service you can do that because you're managing your member accounts that's what I mean by centralized management because now you have everything is being managed centrally by the management account centralized management is being executed by using policies okay and one of those polies that it's mostly it's it's used by AWS organization to manage its member account is called service control policies service control policies also known as SCP okay so just look at the name service control I control what you can do for each service I control what you can create and why you cannot create I can deny you I can allow you I can basically determine what you should or you should not do so within this management account I can write an SCP and I can of put that SCP on the dev environment it will give the dev environment access or or you restrict the dev environment from doing certain things but the other environments can do the thing because I've only applied that policy to the dev environment I can decide to apply the policy to all the accounts individually and it will basically control or give me the ability to control or determine what those accounts can do and when I when I say it's controlling that account it means that it's basically saying that if you have access to that environment if you have access to that account you cannot do certain things or you can do certain things hence centralized management the third thing that AWS organization brings to the table is Consolidated billing Consolidated billing Consolidated billing so remember when I said in point one when we said that with a cation your accounts are created programmatically and I said you only need two parameters to create an account you need an account name and you need an email address I didn't mention anything about credit card number I didn't mention anything about home address I didn't mention any of those things because the member account is using the credit card number of the management account the member account is using the email uh the the home address of the management account the location of the management account because we all be belong to the same organization now so another thing that the AWS organization brings is the Consolidated billing and Consolidated billing basically means that when I'm a member or when I belong to the same organization with my management account I don't have to worry about my AWS bill I don't have to worry about it because this account takes care of all of the bills the management account takes care of all the bills if I'm a member account I don't need to worry about the bills because it's being handled by the management account so you when you're in me when you're a member account you go to the billing console you not see anything there you go to let's say you you have access to Dev environment when you go to the billing con so it will tell you that the billing is being handled by your your your organization but now when you go to the management accounts billing console you'll see your bill and your bill has been categorized by account so you see your AWS bill is going to tell you that de spent 500 test spent 1,000 production spent 2,000 and then when you drill into the bill it will tell you the services that he was using it will give you all of the details that you need to know about where that cost is coming from okay so Consolidated billing is one of the things that AWS organization brings and makes things easy for you to manage manage your environment easily okay all right let me pause and take some questions I see Four Hands Up okay let me start with Victor oh my own is so long ago I can't even remember what I was going to ask but um I think um yeah I was trying to I was trying to say that the the concept of creating multiple accounts I think this last slide is what actually what made it clear to me that was the first question I was going to ask because I was thinking are we going to now be doing credit cards for each time I putting my account and all that but you you answered it with this slide but I wanted to also ask when did we is this is a new topic we're we're treating right right now right so I wasn't sure when we moved from security into this and what topic what would we call this topic we we're discussing now where does it fall under it falls under governance so yes we're moving from security into governance thank you we're diving into governance now um M hi Prof um in terms of um the parameters is does it leverage it from the parameter store what parameters like the email um and the you know for the member account if you're creating new members the email and you know just the details that the they have to provide to create um new member accounts does it will so you will need to get know those emails by yourself okay so for example tonight we're going to set up multi account structure we're just going to start with two accounts for tonight you need to have a second email okay and then if you go in an environment and you need to set up their multi account structure the first thing you I always ask is I need the emails for the account because everybody that has operated in AWS knows that you need an email an email that is not associated with any AWS account you need that email to create a new account so the first thing that you want to ask your client is for them to give you an email that they will use that you use to create that account but if you're using Gmail you don't you don't need if you if you have a Gmail account you don't need to create a new email tonight you can use that same Gmail Gmail has something that's called a prefix right so say for example your your email is [Music] John at gmail.com and you already use John gmail.com to create an account to create the account that you're currently working from if you want to create a second account to implement your multi account you can just Add a prefix to it so you can just say John plus
[email protected] you want to create a set account you just say John plus
[email protected] this is really a good feature that Gmail added so if you have a Gmail you don't need to worry if you have a Yahoo then you may need to create another email address because Yahoo doesn't have this this option okay and the plus one or plus two is plus anything okay it's not necessarily numbers you can put anything so it can be John plus Mary anything but you just need to use the plus sign and then you add any character it will give you the ability to treat that as a new email and if I if I send an email to John plus
[email protected] it will still come to your email but anyway to answer your question Ma you those parameters you don't store them in parameters store you hold them by hand because the only time you need them is when you're creating your account okay okay Al so in terms of let's say we're actually using like um AWS tools to sort of create this accounts um using Code rather than doing it manually are we are we going to put these details in on parameter store or it's something we always do mon yeah you you can but it means that you need to be updating parameters store every time because you can only use it one once once you create the account you don't need the the details anymore okay you can when you tomorrow we're going to talk about control tower and with control tower have we have a service that's called service catalog where you have a product and then you can pass the parameters for that product into into parameter store but yes you can do it you can do it like that but you need to know that it may not serve you for a long time because you only need do once to create an account oh okay yep unless unless have unless let's say you work for a company let's say you work for JJ Tech in.com and you have an automation that automatically creates these email addresses from the mail server then that's when you can see okay when that automation creates the email address the automation will store the email address in parameter store and then um I'll pick it there by code to create the account that will make sense but if you have to manually go and update parameter store every time to put the email addresses there it will not be too uh it will not make too much sense for you okay I understand oh thank you you're welcome Obi I um I have to question first of all as this parameter store is this is this another service that's different from the um Secrets manager yeah yeah we had a conversation on parameter store right obit okay maybe I missed that okay I I I've been looking through my notes to figure out if it talked about parameters store and I couldn't find it okay I have to go back go check go check our class on System Manager okay we talked about paramet store in uh System Manager capabilities I think was the last capability it was the last SSM automation TX manager run command okay I I didn't I didn't capture it probably maybe that's my bad but the second my my primary question was this back to um what we're talking about today how is this different from root root account and for instance we have we created a root account and all the work that I've done uh since we started this class it's actually been on the secondary account but it's still tied it's still connected to my root account I think how is what we're talking about today different from how is AWS different from that kind of structure okay okay so let me explain how that is different okay so when we started back in couple months back we created an AWS account let's assume that this is the account this blue square now within that account when you were creating the account you needed to use your email address let's say when you're creating the account you created it using obid at gmail.com now @gmail.com because you use that email address to create the account that email address becomes the root user for that account only okay let's say this is account one for account one only it's the road user and during our class our sessions we said that it's never best practice to operate as root in your environment because when you break something as rude you can barely fix it because you don't have there there's no there's no privilege that goes beyond the root the root is a highest is a is a superior person in their account so it's good to create other users that have lesser privileges when you compare it to the root so that if those users have have issues or to break something the root can easily fix it okay and that's when we went ahead and we created an IM am user and all through we've been running our hands on using the I am user credentials but all of this the ob. Gmail and I am user they only operate within account one they only operate within account one but now when we're talking about multi account structure we're saying that you don't want to only use account account one you want to go beyond account account one and create a second account and call it account two within this second account you need another Gmail address let's say because you're using Gmail you use obid +
[email protected] so obit plus
[email protected] will be the root user for account two okay and then you can now go into account two and you start creating your own IM users but this is how the structure is obid this obid does not have access to account to obit gmail.com does not have access to account two because it's a r user of account one only okay this is what we call multi account structure you're trying to structure your account by setting this boundaries that will limit users in one account from having permissions to the other account and then you can host resources differently does that make sense yes it does thank you you're welcome Emma yeah um you said that that um if we needed to check our billing and and on the on the member um Council we we won't be able to see the billing but if we went to the management Council um to check that we will be able to see the billing so I'm wondering if the member has access to management wouldn't they be a able to change stuff in there so you mean you mean change stuff where yeah in the management Cil because management Cil you can change Stu for the whole all the whole of or for the different different accounts you have uh available but and it it the member member um um consoles or me the member accounts are supposed to be accounts that shouldn't have technically shouldn't have have access to management right yes so how are you able to view your billing on the on on the management account so this is what happens the management account has elevated privilege because it's managing the other accounts right so the first thing in a company is that you want to limit those who have access to the management account I've worked in environments where I've never ever interacted with a management account because I have no reason to they when I when when you go into the environment if if you're there to help them build some some sort of an infrastructure then they will just give you access to the account that you need to build infrastructure you don't need to know if there's a management account you're not concerned with the AWS bill when you're working for a company the only reason why you're concerned with the AWS bill is because now it's your own account and you're paying the bills but when you're working for an organization even if the bill comes 50,000 it's not my business right so you don't necessarily have to have any Reon reason to interact with the building console as a member account but now typically the management account let me tell you people that have have access with the man to the management account you will have there's a team that's called ccoe team it's called Cloud Center of Excellence CCO means Cloud Center of Excellence that's the team that would have access to the management account because they are there there to push policies and control what devop team is doing operations team is doing applications team is doing they're controlling it when you're part of the ccoe team then you have access and you have more control over the member account sometimes Finance team because the finance team would need to go into the management account and Export a CSV file of all of the AWS bills that you have for all of the other accounts analyze it and then we'll be able to allocate the cost or pay the bills if you decide that you don't want to give the finance team access to the AWS because what I've seen is sometimes you give the finance team access to AWS but they don't the finance team doesn't know anything on the AWS console they don't even know how to navigate to the billing console they don't even know how to navigate to S3 unless you want to give them that training but what I've seen multiple organizations do is they they use a service that's called sees sees means simple email service so they use sees to automate the process of exporting so you use you basically use Lambda event Bridge SES SES to automate the process of exporting the AWS bill from the month and emailing it to the finance team because that's all they need when they get into the management conso when you do that then they will not need access again to the to the to the management account make sense yes thank you you're welcome Victor I was talking on mute uh yes I was just um thinking here uh looking at this diagram right here you you have obid at gmail right that's an email and let's say you have 16 different different accounts for example each of them OB plus X right where does the email um communication from each of these particular accounts go to is it the same obid at gmail the very first one so that you see them coming in because how do you manage all these emails that will be coming in to reflect what you've done in that particular group yeah all of them go to the obid gmail.com but now when it's coming and you go into your inbox you see that it was sent to obit plus one or it was sent to obit plus two okay see let you know so like for example in AWS let me tell you what AWS does to all his employee when you're an AWS employee you have the ability to create as many accounts as you want oh many there was a because every time you're working on a project you you can create a brand new account a brand new environment and you test whatever you want to test and sometimes you create those resources the resources will be running there for a very long time and you not the only time that you receive an email for you to look into your account is when you open the port open or you do something that is a security risk that creates a security event okay say for example you open an S3 bucket you because with AWS S3 bucket you can never disable BPA BPA should always be enabled let's say I go and disable BPA I'll get a p a a a page so every AWS employee has a pager that has been installed on their mobile phone so that whenever something happens in your account they don't send you an email your mobile phone just starts ringing so loud very loud and that's a page because probably you've done something in your environment that when you did that thing it was not instantly discovered by the the the the the tool that is scanning the environment so maybe it scans at midnight and then it discovers that you get a page at midnight to go and fix it immediately if within five minutes you don't go and fix it you get a second page if within the next five minutes you don't fix it it escalates to your manager and then you see your manager texting you at M night so they give you that flexibility to to create multiple account you can have up to 50 accounts even more in your environment as long as you can as long as you you make sure that you don't cross the boundary of exposing anything in that account you're perfectly fine so what happens is when you get there they'll tell you the process of creating those new accounts it's not like they'll give you it's not like you have 50 email addresses to create those new accounts they'll tell you that yes you can use your same email address but you just need to add a prefix you just need to add something like simp exactly like what would you do with Gmail and every time you do that the email comes to your same email Amazon email address that you have okay okay I I had one more question about creating these accounts so each account you create say for example you you are let's put it this way you migrating from a particular off premises um situation and you've you've created you want to create the dev Dev QA fraud what's the cost implication of making creating three for example I mean there could be more but each one you create has a cost kind of associated with it because they are probably identical replicas of each environment all the way to production M so I'm I'm thinking cost now cost wise for somebody who wants to adopt Cloud how does that play out in their decision to create these multiple accounts in the first place okay so that's a good question so the first thing that you need to know is that oh that you already know that an account on its own is completely free right okay you can create one account and AWS will never charge you for anything unless you start creating resources in those accounts so you creating four different accounts to segregate your environment let's say you create four accounts and in those four accounts you have four is one is2 instance in each account is the same as you having one account and four is2 instance in one account true am all right do that again so if you have four accounts account a b c and d and in this each account you have an e to because you don't want you want to say Get it so you have four in instance or you create one account and then in this one account you have four istitute instance h so this is your Dev account this is your test this is your prepr this is your prod or you can just have one account and you say this is my death instance this is my test instance this is my prepro instance and this is my prod instance so do you know that these four accounts is the same as this one account I see okay because the account on its own is free what AWS charges you is the E2 instance that's running in those accounts so the the the boxes in yellow just gives you more structure make things more cleaner make things more secured which is completely free the Box in red jbox everything in one account makes it more cumbersome but it's still the same AWS bill that you're pay it's the same amount that AWS is going to charge you make sense it does it organizes your your environment exactly and that's why you see some companies who go up to if AWS was charging you per account I can bet you that you not see companies having 500 accounts exactly I get into an environment and they say they have 500 account I just at the back of my mind I'm just like you you have some cleanup to do there's no way that you're actively using 500 account but again it's just because the accounts are free as long as you have the email address you can keep creating them okay thanks you're welcome all right so let's talk about features of AWS organization and then we'll take our break let's talk about the features of AWS organization so we've already established an AWS organization is a service that gives you the ability to govern your multi account structure okay if you haven't taken down that definition please take it down now AWS organization is a service that gives you the ability to govern your multi account structure okay it gives you the ability to govern your multi account structure and we've said why because with AWS organization you have centralized management you can centrally manage all of your member accounts in that organization with AWS organization you have Consolidated billing you can manage the AWS Bill and that Consolidated billing doesn't just end there you can create budgets that will determine say I'm giving I'm giving your account this amount of budget to spend whereas if you don't if you spend more if you go beyond that then you'll be shut down you not be able to do anything until the end of the month you can create um you can manage your AWS bill you can pay the aw bill you can also you also benefit from discounts volume discounts like I said said without AWS organizations you can lose those discounts because AWS is billing you individually so if you don't reach the maximum or the threshold that you need to reach to gain the discount AWS will not give you that discount but with AWS organization you can because you're you're now under Consolidated billing everything is Consolidated so if account a uses 5 gigb of storage account B uses 10 gigaby of storage stage account C uses another 5 GB of storage when you combine it it gives you 20 gab of storage and so you can get your 30% discount that AWS is offering okay so you can easily get volume discounts okay so for you said we said centralized management to apply service control policies we said Consolidated Consolidated billing and then volume discounts we can get volume discounts okay volume discounts all right now let's talk about the key features that AWS organization offers these key features are important we've already touched on them but let's talk about them so that you know that these are the main features that AWS organization offers the first thing it offers is called organizational units organizational units organizational units organizational units is a container it's like a container that a organization offer for you to create a hierarchical structure to group your accounts inside okay so it's a container that creates a high rical structure to group your accounts in it okay for you to group your accounts in it so let's say let's go back to our structure right here remember this diagram where we had the dev account the prod account the prepr account the text account okay let's look back at this our structure so let's assume that we have we don't just have one Dev account we have multiple Dev account you can choose to create an organizational unit remember we said that organizational unit is a container that gives you the ability to group your accounts and give the that hierarchical structure so you can decide to create that container and you call that container a death organizational death o OU means organizational unit and then now ins that container I'm I'll start putting my accounts inside I'll say Dev one after I create a new Dev environment Dev two I create another Dev environment Dev three I create another one therefore four okay same thing with test because typically in most of these environments you not have just one account to represent an environment that's how companies grow grow to they get to like 500 accounts so you have have a test test environment and then you can create it and say this is my test OU and then you start having test one test two same thing with production okay you create your production OU and you start having your different accounts inside the container which is the organizational unit so that's what organizational unit does it's just a a feature within AWS organization that helps you to group your account in different ways okay in different ways you can choose how you want to group it maybe you don't want to group it by environment maybe you want to group it by Department you can say I'll create the marketing o you I'll create accounting department o you I'll create finance department o you I'll create create Communications Department owe you and all of those things so you do all of that you be basically build your organizational structure how you want to manage your Aid employees organization it it's really good because it helps you to apply your policies if I have a service control policy I can decide to write a policy and only apply it to my Dev environment my Dev o when I apply that policy and polic service control policy is our next feature of a sychronization this when I apply that policy it's basically going to be applied to all the accounts within that OU okay if I apply my policy at at the OU level here this Square this red square all the accounts will basically inherit that policy if I apply my policy at the level of the the management account which is the root here then all the organizational units in that organization the policy will be applied to them so there the the three layers that you can apply policy you can either apply the policy at the level of the route at the level of the organizational un need or you can come and say okay I just want to apply this policy to death therefore you apply directly to that account okay so these are the three main levels that you can apply your policy and it really helps it really helps because sometimes you can say I don't want the dev environment to have access to this service I don't want the dev environment to be able to do this thing so there are some things that you want it to happen in prod but you don't want it to happen in death there are some things that you want to mandate across the whole environment for example tagging tagging is one of the really critical things that a lot of companies use to enforce some strategy within the organization if I want to enforce tagging in all of the environment then I would write my SCP for tagging here and apply at the level of the organization so that all accounts inside the environment would adhere to my tagging strategy before for the creat a create a service okay M the questions hi Pro I just I think you mention please can you sorry can you go to the organizational notes please thank you um hi Prof hello yes go ahead yeah this question is actually from earlier I just wanted to know um regarding um sending the SCS like the the the SCS reports to the accountant is it something that can be accomplished by SNS no it depends so SNS SNS can send you a notification but it cannot that notification will not carry an attachment so there are some things that you can use with SCS because SCS you have the ability to attach and with SC SCS means in simple email email service you have the ability to send just emails SNS you can do more than emails you can send text messages you can create um um you can send messages to Applications you can trigger certain things from an application Level but with SCS it's just email and you with with that you can you can touch so if I want to use SNS right for this particular scenario what I'll do is I'll export the CSV file I tell the Lambda function to export the CSV file put that file in an S3 bucket then I will send you an SNS notification with the link to the S3 bucket to go and download it yourself okay but the SNS cannot carry the CSV file so the main difference is um the main difference um is the SCS you can actually add in terms of sending emails you can actually add attachments which are the files that you want to send to the accountant yep and um the last thing that I wanted to know is um has your pag ever gone off yes multiple times one time when I was I was completely out of the country I was in Cancun and the pag I went off and I don't know why because I was on leave but it looks like I did something because sometimes when you're implementing these blogs a has lots of blogs I was working on a solution I implemented the blog then I did not clean up so sometimes the blog would would open certain things that you don't necessarily AWS doesn't allow you to open it and so it for some reason the Securities card I did not pick it up until when I had traveled two days after and then my P went off okay thank you and then there was there was one time that um that was two years ago one one or two years ago I was I was I was doing something and then um somebody was testing something in my account I gave somebody access to my account and the person was testing something and then for some reason the person did not clean up and he was did not clean up and then immediately for some reason immediately the the pager went off and we have to shut it down so yep yeah you always experience that your pager can go off for so many different reasons and when when you switch mobiles and your pager is not active it alerts your manager immediately what if like your phone is not in service is there another way to get notifications your man your manager will be alerted okay for example they cannot reach your pager because they always text it from time to time to make sure that it's act active if they cannot reach it then your manager will be alerted and your man just start texting you I understand and um I understand and finally is it just native to AWS or other companies AWS offers this sort of pager services to other companies I think the pager app is just is native to AWS the way the application looks is native to AWS but I've not heard of any any any company that uses maybe maybe they use it for for security security team would use it so not if you have a security event then and and it creates a message then your pager would go off for you to respond to that events in instantly especially because most security teams always have people that are on call when you're on call then your pager will go off and things like that but I don't think it go it happens for everybody in the in the company in the organization yeah I I think you they have just to follow up with they have all third party tools also like service now that compasses this kind of pager Arrangement not exactly in the same detail but typically you you it escalates to your manager if you cannot be reached and so on and so forth so it's not a good thing to not be reached and your manager gets woken up in the middle of the night that's the D against you really but um yeah they have other tools that do it too yeah it happened to me when I was out of the country I wasn't with my laptop so my manager had to to let the security team know that I'm not available close to my computer so the security team has to go into my account and shut it the terminate the service so it was it was a whole process because they needed to contact me for me to confirm to them that the service is not related to any customer it doesn't contain customer information because they don't want to deleted and delete customer information and all of that so it's never a good thing when your p goes of yeah mine has gone off all right any other question I have a question the question I had if you can pull up that other slide where you had the U and the structure there um the other one uh yes so looking at this structure this is a logical Arrangement so if I for example wanted to use another service like um patch management I can use the Lo logical groupings to Target say Dev you know Dev Dev devices right still execute that way right yeah yep absolutely so yes and tagging is a necessary part of that um um Arrangement as well right yep absolutely so tagging is something that's very important I'll tell you that if you go into a and most of the time some companies don't know the importance of tagging until their way into it and then they start cleaning up and enforcing tagging tagging helps a lot when you have any automation just like what you guys saw with patch manager when you target properly it's easy for you to do things at skill so because of AWS organization even things like AWS backup you can set backup policies which is one of the policies that comes with AWS organization you can set backup policies that will say back up all of my death E2 instances on my Dev RDS databases once a week so you don't need to write policy for every for for for each database you can just select it by OU and say if I have 100 databases in my de environments then go ahead and back it up every Friday or once a month or every day or every 6: p.m. you can basically write a backup policy that would do that so it makes things really easy to basically consolidate how you manage your your AWS environment or your your organizational unit okay okay thanks you're welcome Alan um is this similar to an IM group uh like because uh you're saying it like uh it's containers that uh divides the roles for each um for each surface so is this um similar to an iron group like how Iron group divides roles for each um I want to say uh like user yes yes yes that's exact from a conceptual standpoint it's it's perfectly it's exactly similar to IM am groups because groups are containers that you you basically put in you uses and then you can apply policies to that's what organizational units are these are containers that you put accounts in and then you can apply policies to we that skill okay thank you you're welcome all right if there are no other questions um we can take 15 minutes break and then when we come back we are going to our hands on tonight is going to be straightforward and easy so we're going to set up AWS organization we're going to set up AWS organization in the accounts that we currently have so that account the accounts that we currently have now will become your management account because that's the account that will set up AWS organization then we're going to programmatically create a second account we going to programmatically create a second account we're going to create an OU an organizational unit then we're going to create a service control policy to enforce tagging on ec2 instances and then we apply that policy to the account that the new to the new member account that we created and then we'll test the policy to see if it works okay so that's what we'll do and the goal here is for you to understand when we talk about Enterprise governance you see how AWS organization is a governance tool that help help you to govern your multiac account structure to govern and manage your multi account structure okay and then you see how now through AWS organization you can basically push things that you want to happen in the member account from the organizational account okay and I think within that run book we also have a step where that would show you how to move from your management account to one to your member account because if you have a management account you can Federate or you can basically um move into the cross account you can use a cross account role to move into the uh member M account so we'll see how you get into the member account from your management account because when you programmatically create this this account you not really have um a password to it because when you were creating it you did not set a password you just gave it an email address and a name and it created your account for you for you but you can now jump into that account from your management account all right can you guys still hear me yeah we can hear you um Pro quick question what will be the uh scenario where you have to jump from the management account to the member account what will you be looking for in the member account um the scenario you can have multiple scenarios for example like what I just said I went out of the country and then there was an security incident in my account and then somebody needed to do something to it that person does not necessarily have my credentials that I use to create that account but now because the person has elevated privileges you can use a cross account role to get into my account and and and fix fix the incident the the the the issue okay so the cost account rule is applied at the very top of the hierarchy and then which means access to the lower ones exactly when you're creating your account programmatically AWS organization automatically creates that cross account Ro for you okay y they created automatically so when you when you um let me look at that run book we I know that I added a step there to cross account into another account unless it's it's been a while let me see but yes we you have a step in there to get into the member account using the cross account role okay are you going to share the uh run book um yep yep yep I'll share it with you guys thanks all right so let's take 15 and then we'll come back we'll do all of this one two three four five steps and then we'll call it the night will be PR pretty easy super thanks all right awesome see you soon so um for the sake of recording we're doing organizational usage as our demo today so going to be a pretty straight for demo will create organ AWS organization or enable them in our accounts create organization units which are containers housing different ESS accounts based on some sort of grouping strategy and we would um Implement a simple governance scill using AWS scps organiz AWS organization service control policies which is a way to U manage governance at scale and we will apply it to an OU and test to ensure that whatever compliance or governance we want to implement on our member accounts in the oou is actually in Play We Will test that by switching into one of the accounts which will apply the P to and try to create resources that do not conform with uh the policy in the sap we good any questions um do you have to be the root account to do what um to create the organization yes organizations is Created from any AWS account so we're going to use the accounts you already have they are now stand alone accounts so once we create an organization in your account which you do have then that organiz that account is then referred to as and the wall of it's then referred to as the management account so it's a good um practice to use your management account just to create organizations and every other thing which we have been doing before we start doing that in your member accounts okay but we are not going back so today we with use your normal account and convert them to our management account and create member accounts inside our organization says answer a question no me do we have to log in as root or no you don't have to oh okay so we carry on as IM user carry on as an IM user with admin privileges that's good remember I'm very sure you were told that the root user of the account please put it under a vote and do everything in your account with an IM user that has um the Privileges that it needs so as you create your account that R res password and the details the credentials for the user please securely keep that and you go ahead always use and I am using only consult the youth user if there's something wrong with that I am using okay yes sir good there are some fixes that um if you enounter you would need the r user uh permissions to do that fix I did encounter that once I think with S3 but that's a long time ago I don't even know and because in my organization I do not have rout access just our leads have I had to go back to him that please clean this up so that said keep your Ro F and let's go ahead any question M um um Emma Alan Robinson say no I'm good I think I'm good today no questions this is a pretty straightforward run book soon hopefully we are done in one hour and we're gone 30 minutes good I like that great because I've got work in the next four hours okay so we start by getting into account whoever is sharing Ed organization is just another service like ec2 like VPC so just type organization and we go to the ad organization we want to ensure that the this user has a privilege so you can see here it says create an organization so are we all here Franchesca is she in the call by well I'm here yeah okay Fran is not matter Kings and others let's go ahead so you click on create organization and this should create an AWS organization in that account you see that so once you create an organization it begins by creating some sort of a tree structure in your account with the management account being in the root does that make sense I see M so the root of that tree is the management account you can put other sub accounts under the root you can create OS as we will see under the root my branching consider all us like branches of that tree so we have the root of the tree flip that tree upside down the root of the tree at the top then we have branches going down like OS and inside those branches you can have other o to nested ous to the level of five so you can have an OU in that OU create another OU and in another OU create another OU to a level of five this is very important because for example in my organization um we are consultancy so we basically have ous that represent different company environments for example in AWS we have like what 60 70 different different customer environments so each in um uh customer is an OU and inside that customer's OU each account is sub is another nested OU so you have the dev OU you have the pro OU you have the um test o the uat oou whatever it is okay so that's how you can organize the structure make sense yes sir good um Prof you did say to the level of five what what does that mean so it means I can have an U like right now we have the root then you when we create an organizational unit that's the first level so inside the organizational un you can have another U another organizational so it's a subset in the nest structure does that do you understand that yeah yeah I get it so you can have other o to the level so level five good five five deep five deep five deep yes five deep and after the fifth level then you can only have accounts no OU again good so once we have an organizational un need let's create an account inside so you can see that the account which you you were always using is now referred to here in AWS organization as the man management account so it's best practice to not use this account for any workloads do not deploy vpcs ec2s Transit gateways anything inside this OU the reason for that is you want we always use AWS organizations to control governance to ensure that um member accounts are conforming to some sort of comp compliance okay and um users and roles and inside member accounts are also confirming to the saps that are implemented at the level of the route or at the level of the management account or higher up the tree because I'm sure Prof Susan already mentioned once we place saps here that are governing compliance in member accounts even the root user of that member account needs to confirm to the the saps we we use at the management account you understand that hello was that clear that was a little confusing yes but the root root user is is above this management account from that's a root that's a root user of the management account if we have another account because in the organization you can create accounts here directly or you can invite other accounts for example Mula can invite V Victor's account into an organizational unit so Victor your account already has a root user but now because you m is inviting you into an OU you get into the OU you become a member account in that OU you're not the management account so the root user of your account Victor mon can control its privileges from here oh wow yes so if you create an SCP at this level and I put the SCP here and I say nobody in the member account should be able to launch these two instances that do not conform to this specific requirements even the root user in your account can't launch launch those is to instant wow so Mo please do not invite me thank you so the reason I've say this is because in the management account it's best practice to not launch workloads here because scps will not be able to control users that are in the management account so in this y mul account if you have an I am user here at the management account and you put scps those scps work for accounts that are in the o and down the tree but do not control users that are in the management account does it make sense yes sir good if it doesn't make sense please ask Prof so so for this um hands on are we going to create an IM am user for the new email we're going to be using like for the new account that'll be using going forward so um you can do that you can create an IM user in the man in the member account later on but for for the Simplicity for the for the how do you call it for Simplicity for the Run book or for handson today once you're creating an AWS an a member account as we're going to do very soon AWS automatically creates a role in that member account and you can switch from your management account into that member account using what we call cross account roles so by default AWS creates a role called think organizational account access role in that member account and you can switch into that member account using the organizational access we're going to do that okay sure so you can test this hypothesis or whatever and later on you can then go to them switch into the M member account create a user in that member account then lock in as that user just like any other IM user then try to do things but you're controlling uh governance at the level of the route let's go ahead so don't take more than 30 minutes today just a real quick question can you release an account from this um this organization you can always release an account from the organization you can always move an account from one organization to another okay so it's it's all doable so let's create another account so just go to add account once you create an account you can see here you're creating an AWS account account or you want to invite an existing account so here can send send Victor that Victor please I want you to come then you would use Victor's account ID or email address which the root user use to invite Victor into your OU okay or into your organization but here we want to create an AWS account so when you create an AWS account AWS creates it and adds it to your organization automatically we good so we want to give the account a name so for example you can get call it based on whatever naming policy you have in your organization so for for now M you can call it a test account you can call it a Sandbox account you can call it whatever playground whatever name you give to it I think the Run book has a suggestion for you J Dev account but that's JJ Tech so I think you should just use jch since your sharing so okay okay so use what is in the Run book so those who are watching later can make sense if they watching the looking at the wrun book did you take Dev account you want me to always put those things in the chat so this is opion put whatever name it's you need for where's my chat window so once we create the give the account a name we need to give an the account an email so um when you created your management account you have an email address which you use so we can use that create Dynamic email addresses using a plus so if you had something like um what is it Mula is it MOA sharing or leard all the same person okay good and you just use is it at gmail at y.com use a plus sign and any characters before the add sign then that would create um a dynamic um email address that would point back to your main address so plus and what sir plus gmail.com so plus44 mul please I don't I do not test with numeric but I think they should work just use something like plus sandbox phone 4 plus something for for but I guess this should also work I'm not so sure okay so you can use it s box to represent the sandbox which you're using you don't need CS we good so you can see here this is what AWS creates the I am rule this is an I am Ru that the Ed organization is going to create in the member account please copy this rule well anyway I'm going to supply it to you don't bother because we will use this hero name to switch into the account so that's okay that's okay I I'll give it to you once we get there it's the same for everybody so once you have here then you can create the AWS account are we together just hold hold M Emma Franchesca EV Shantal and uh Prof yes Prof the uh the email address that uh we use should not be associated with AWS that's what I'm understanding so you can only use one email add p a account okay one email address pay account so once you've used an email address before to create an AWS account you cannot use it again for another AWS account why is that because AWS always creates an identity in your AWS account one identity once the account is created and and they tie that identity to that email address okay right that part I understand but now for example Leonard just used Leonard plusbox gmail.com I don't think that that is a real that's that is a real email uh email address you know that's good that's the point we want to make it unique and this is um technique that most email providers support for you to create multiple email addresses that point back to your main email so his main email is still Lun Mula gmail.com so we want to just point Le Mula plus sandbox gmail.com so every email address every email that is sent to this address would be routed back to Mula mul gmail. okay I see so I have a question please good should I put um the should I include my complete email because there supposed to be a 20 here should I put it you need everything that is in your email before the plus before the plus yes your normal email address whatever that's in your normal email address before the at sign it should be there then plus some random characters then the ad sign at gmail.com so your normal email for your root account is Leon Mula plus no Leon M
[email protected] right yeah good so this is correct so once we have this then you can click on create ads account are we using tags or it's it's automatically puts the tags in um it's optional it's I was want to put the tags in can you refresh refresh your browser good so now we can see that we've created another account called JJ J JJ Dev that is using an account ID of 98 which is different from our management account ID and it's pointing to your Mula uh 20 plus sandbox something something are we all good yeah I welcome pardon I said I just receive a message from AWS yes because it's pointing back to your main Emil is there somebody with a with a problem here a quick question I just wanted to know if you use an existing email address is it going to sort of um send you an email to sort of confirm is that what happens if you send an exist if you use an existing email let's see yeah I guess if you use an existing email it's going to send information to that existing email so it's just trying to make the email unique so if you have an existing email which is not tied to an edbl account that can also work okays account is going to work okay question one minute one minute Anita we are using the plus sign here because Leonard Mula 20 is already tied to an account so we want to make it unique that's why we using the plus sign to put some around characters to make this email unique okay also if um Leonard had a has a different email tied to that can also work he can just send an invite a different email which is not tied which is tied to a of no you can you cannot use the same email for two different ad accounts that's the whole point he's talking of invite two different two different emails for two different accounts I guess it would just mean that he has to just invite the other email then you will be using the option to invite an account not not create an account you remember when you when you saw when you add an it account it gives you the option to invite or to create yes sir that's what I wanted to clarify so then you'll be using the invite and putting the email if that email already has an account title it yes Anita yeah my question is why is the management account below I was thinking after the root accounts we have the management accounts so this can just be this can just be Ed stamp it doesn't mean that they it's below they are all add same level you can see the route the JJ Tech and then Leonard Mula they all at the same level inside the route okay so right now we do not have organizational units and we are putting them we only see that all of them are in this AWS organization they are all at the same level however we are managing it from the AWS organization you start seeing the benefits of AWS organization where you start grouping your accounts in different containers called o OS okay okay being the same level does it sorry does it mean that they have the same role the same what um how would I put it the when it comes to policy I was thinking the management account should have a more roles like privileges policies yes the manag account has more privileges it doesn't matter how the alignment it has it does have more privileges you can you right now you are in the management account you can switch from it now into JJ Tech okay but and you will in the JJ account you see that for something like a organizations you have limitations which you cannot perform there you can only do that in the management account the management account is right there every o every everybody in your console you should see your main account with the T in front as management that's the management account for this structure okay so the align the alignment here doesn't should not bother you yeah once we create U then you will see the tree structure as we go down thank you yep where did it get JJ Tech de because that that I never put that in any that's the name he put when he was creating his account but it's the same thing that's showing on in my it means you put it there so if you call yours Victor death it will be showing here Victor death you put a there just click on account you're right you're right it's in the wrong I did that thanks let's go ahead so we have created One account called G Tech Dev let's just add another account so that we can put two accounts in an OU so that's not in the Run book just do the same thing if you have J take death just create another say death one def two or something like that okay should it have the same email as the other one or shouldn't No it should be unique the sbox was already used so you need to put something here so you can put sandbox to or you can put test whatever ah I see so this is a different account from the first one we just we created earlier yes yes gotta [Music] gotcha let go ahead so once we have the two accounts you can see that we have two accounts here now we want to create um an organization unit go to actions on the left in the root structure where's my pen there you are come to actions okay [Music] actions click on rout sorry you need to click on Route so select route good actions create new hold just stop here are we all together yes sir so you need to select the route select where you want to create the organizational unit and click on actions then you create new so you can give your organizational unit a name we want to call this maybe a def organizational unit are we together um no I I just have a question I was I was thinking we should have be creating this in the management account isn't that we we're going to create I thought we're supposed to create this um on the management account we are in the management account okay but I guess you selected route but we selected rout yeah that's what he meant yeah the root is in the management account the root is in the management account right now you're in the management account okay you're creating the root in the organization because you want it at the root level root level of your organization your tree structure you remember um I yeah remember give me a minute we have a tree structure and at the top of the tree we have the root so inside the root we want to put the first organizational unit if you want to create another organizational unit inside this organizational unit then you will select this one we which which we about to create so you have that nested use which we talked about okay does it make sense whatever you're doing right now you're locked into the management account that's what matters ask your question if you're not clear this OU is at the level of it's at the it's at the root level remember we said the organizational structure has um Roots begins from the root then you have branches of that road which are we call um um U organizational units and those branches can have other OU yes so the first OU which we are creating right now is at the level of the root it means that once we are in the rout then we have the first OU then if we want to create another organizational unit inside this uh def oou then we will select the dev O then create an organizational unit inside make sense yes sir yes y BR please I have a question yeah go ahead um is the root considered a member account to in the the root itself is not an account it's the structure of your organization okay so inside on the root remember please try to visualize something like this if if it makes sense you have a tree flip that tree upside down you start from the root then once you hold a tree or a plant up upside down you have branches or from that tree going down so at the root is our management it means this is the top of the tree of or whatever and if we want to apply anything downwards then we begin from the root so we want to create an OU at the level of our root the first level so root we put an OU there every other account we can then put them inside this OU maybe once we complete this it make sense to you yeah did we already create the the OU no you don't have OU here no I just duplicated the patience scen so now we can create organizational unit please let's go ahead so can you see right now we have the U and all the other accounts are still at the same level do you see that we have our organizational unit but right now if you see there's a this plus sign which basically means that it's some sort of a container things can be inside to show you that this is a container that we can put accounts inside so we can then move the accounts which we created into this OU that we just created does it make sense yeah it makes sense now because I was just about to ask if we can create an OU in the member account but with what you just explained it makes sense thank you so we now have to move the account which we created for example Dev one Dev to Dev into these OS okay when you're doing this from um using information not information infrastructure as code it's a little bit different you have to create the use and put the accounts inside that's why you you do all all this um sequentially so it makes sense once you start using infrastructure as code pleas keep those things the clicking and the sequence in your in your mind because if when you you're reading code or your your code is filling is going to also be telling you that I'm looking for something I can't see all right yes sir for example if you have you're doing infrastructure as code and you start telling this moving an account into an if that OU is not present then it will tell you that I'm looking for an OU I can't find that OU so click on the account select the account which we want to move go to actions move are we moving only one you can move one you can move all but let's do one at a time move now you can see that you have the OU present so you can select the OU where n yeah check box in the in the empty round Square good then you go to move account scroll down move account oh now we've moved the first account into the OU so if you go now to the OU you should see the account inside click on the play play sign or whatever it is you see that yes and and the person that was asking the question does it make sense to you right now yes sir thank you so click on the OU itself nine sorry select the OU itself go back select the U go to actions create new this is now creating another OU inside this o you to talk about the nested OU structure which we talked about remember so now we've had the root now we've had the first OU do we want another OU inside the first OU then you put another OU so you can have this nested U to the level of five and at the fifth level you can't have another OU you would only be able to add accounts into the last OU does it make sense to you now Victor yes it does good let's go back you don't have to create this you can test that later on let's go back so you can move the second account into your OU Prof doesn't mean at the thir level we can only add new accounts to the FED level yes you can only add new accounts to the FED level you can have another OU Okay so what did he just do he moved the account which he created same like the first into the OU because he created two doia cones okay Ro if you wanted to change the name say for example you gave it the wrong name and you already created the member account um is it possible to do that or even the OU OU name no your mute select it go to actions I'm not so sure you can change the names of this accounts after the fact because accounts um even when you want to close an account it takes a less about 90 days to do to close an account so I'm very sure you can you can you can for the alest you can rename it yes I think that's it yes you can rename it I I know humans are prone to error and could have just that the wrong thing okay good so you have the option there so when you when you think about something that you need just go to the console see the options which you have however mind you there are a lot of things or features that AWS offers you that are not all available on the console if you remember when we were doing what was it systems manager and we wanted to uh add PCH Bas lines we do not have that option on the console but you can use apis to do that okay so once you're looking for something like some things like that if you do not see the option on the console always just research a little bit maybe you can do that from the CLI or using some other apis okay so it looks like here you can only Chang the name of the OU but not the the member accounts actually yeah you don't have that option drop down okay but I think for the um um management account the Alias for example if you see um what's his name Mula mul um alas here says Mula 22222 I think you can you can make this change if you click up here you should be able to make this change somewhere way click up here go to account I think you should be able to make go to edit or something like that I think you should be able to make this change somewhere you should be able I know you can check that later sorry so that we don't don't like to switch account close this let's let's let's continue and finish our WR book we can check this T later we can do this later tick tock tick tock so now we've created an account we've created ous and we've moved our accounts into the OU now let's um do some governance scale by enabling some saps at the level of the OU okay so scroll to [Music] policies and you can see that these are the different supported policy types for your a Bas organization you have ai Services op out policies which you this is if you do not want AWS AI tools to be collecting data from your different member accounts you can up out here you can set up backup policies you can set up service control policies you can set up T policies and the different stuffs okay so let's use saps click on service control policies we need to enable you can see that all the policies are disabled by default so you just click on a and enable service control policy this will then Aid enable scps for your AWS organization once scps are enabled then we can create service POS control policies and attach those policies directly to our account at the root level or at the OU level mind you these are the three levels at which you can attach this scps if you put it at the root it means all all OS and all accounts in those OS would would have to confirm to the SCP if you put it under OU level then all accounts in that OU would have to confirm to the SCP or you can attach the policy directly to an AWS account this sounds pretty straightforward yep we we had an incident and uh our um environment where one of our Junior colleagues because we have a management account that's using terraform and we are back up we are backing up all terraform state in that account we call it the TF backup account and we have an SCP add this management account that um needs to conform to some S3 rules and stuff like that so we have different projects both in AWS and in Azure that are backing up their data in S3 buckets this is just a short story for you to understand the the how this s though it sounds easy you can can can mess up stuff so this guy I don't know I think he was working on his project and he wanted to enable some saps which we already have for his OU unfortunately for him he placed his project OU as a nested OU in the U where we have the backup um um account then enable this saps at that level of the OU and all the different pipelines in all the different projects were failing and they could not figure out why which is because the SCP or the S3 bucket which they are using to back up state for terraform now had some uh controls which we do not need for terraform does it make sense what I'm trying to explain yeah where where was Tera yes sir where did Tera from live in the U hierarchy terraform is basically just using an S3 bucket but that S3 bucket is inside an account that is inside another OU which did not need the that service control policy but he enabled this service control just by ticking a box or something by because he was doing it from his from the console and now it applied that SCP on all the accounts in that o in that OU remember we told you that if you put at the level of the U all accounts on that there are enabled yeah so now all the different projects in the whole company they were using that account for backing update their state data pipelines were failing so a guys could not figure out why that your AWS bucket is not available say how can it not be available then once we there was a team escalation and communication going on he did not even know that is what he did that's causing problems in different projects so I'm just trying to tell you how wow even though it's just very straightforward very careful when you're enabling these things okay can you can actually mess up stuffs was he fired no he was not fired he was a genor colleague so he's understand slap on the wrist and carry on um um it's um he's a junior and he still on um probation he wasn't on probation but but he has some sort of a body for example you have a genor some sort of somebody that leads you in the company right so if if if I did that then they is going to start asking questions yes but in the escalation and in the meeting that's we we learn by breaking stuff that was the conclusion like that but if you get into a company you say you have seven years experience or you do that then you going start asking questions okay let's go ahead so now let's create an SCP so now that we've enabled scps for organization we can go to create policy so you can have policies which you've already created can you scroll down if you have a policy document sorry if you have a policy document which you've already created because for example at the end of the r we have two samples you can copy exactly your policies into here where they editor and just replace it remember policy scps are like I am so if you know how to write I am policies they are very similar to scps but scps do not Grant permissions scps control permission there's a very big difference okay so scps and I am they always work together for example if in the member account you have a a a a user called Victor that Victor has admin privileges that's the IR am policy for Victor in that member account now we want to control Victor's permission in the member account using SCP so at the level higher up we will put an SCP so if Victor in your member account or I am user called Victor has a permission to create istitute instances but we deny that create creation of istitute instances at the level of the scps even though Victor has permissions I am permissions to create these two instances but because sap deny creation of is two instances Victor cannot create each two instances does it make sense yeah that's the same thing I told you about controlling even the root users privileges so let's go scroll up Scroll up let's create one using the editor please if you have problem or you're confused about something just speak up okay I won't know if you do not talk I'm sir what if um the same policy was um allowed at the root level does it means that it's going to take precedence yes it's going to take precedence cuz he up at the road there oh okay thank you all right policy name now AWS has something they call deny overr uh deny I forgotten the slogan but basically deny is always is always going to overthrow allow for example if you have a policy that allows you to do something and another policy that allows that denies it then you're going to be denied so if you have an explicit allow and an explicit deny an explicit deny over throws an explicit allow does that make sense yes sir good it's a very FAL slogan for it so what if the explicit deny was at the lower level and the explicit allow happens to be at a higher level you can test that but I I expect it to deny it it will deny it let's go ahead so because once AWS is evaluating your your policy um uh uh policies it Aggregates all the policies that attach to this identity and evaluates them the minute it sees an explicit deny it's denied okay but there's an imp implicit deny and an explicit deny so if it is an implicit deny and an explicit allow then allow would it would be allowed but if there is an explicit deny then everything is denied make sense yes sir good for those are acquired I'm I'm I believe you you're getting it and not confused and being quiet yeah yeah um so with the explicit okay you have the implicit deny in in the say um OU level and you have the explicit allow in the root level it will be it will still be allowed I think it will be denied because deny deny trumps allow trumps allow okay as long as it's explicit as long as it's explicit okay so now we've done that let's create um a policy andp called um required is to tax and the policy name we call it require is tax you can put a description for it to require tagging for is two instances whatever so are we together yes sir sir yes we are good so we need to choose the service to add the action to so scroll down scroll down scrolling here so you choose a service we want to type E2 in here are we together so select e to that is it right there hold is everybody here so somebody don't know say we last yeah good but because we want to ensure that we have targ for is instances so we select is2 as a service for Action search run instances so you can just do it's it's almost at the bottom of the drop down list but you can you can always use command F command f is it's a shortcut to find things so if you're using Mark you just type command F and you paste this run instances there then it will take you to it so you can type run command F or whatever that's for services is that for services we already have Services yes we already have services so so actions you can also go down scroll down use this wait I look for my pen scroll down here so go down to run go down to R R I think it's run instances run instances yes search it you can search it can do a Comm you search so run that's it right there yeah wrong instance is that one so we looking for run instances right yes run instances so this is the action we want to um limit so we we trying to prevent you to run instances if some certain conditions are not applied okay so for the select resources within the service scroll down so add a resource so easy to resource type instance that's is it right here instance up yep instance so you can see wait wait wait wait if you click on ADD resource it's going to tell you that there's a problem because they are placeholders in the a do you see that yes yes remember we talked about the placeholders you see them so many places so this is a placeholder everything in the curly brackets are placeholders we need to replace this placeholders because it's asking for the region where you want to apply this SCP the account the instance is it specific instance then you'll put the instance ID so we want to replace all the placeholders with Y card to represent every region in every account in every on on all instances does it make sense yes sir yeah if there's somebody that that does not understand what I'm trying to say please pick up if not then I assume we all good so I understand but I don't know what y cut are doesn't mean we just leave it empty no y cut is a star shift eight okay a star you have to good put a star star represents everything so good so what does this mean you remember here was region so because we are not putting in a region code we are putting in the Y card the Y card means every region so here is looking for an account if you want want it for a specific account in the OU then you put the account ID there but because we want every account you put a star now do we want to limit it for specific instances no we want it for all instances so we'll put a y card make sense yes sir yeah good good then we can add the resource so scroll up so we are building the policy give me a minute mul so if you look at whatever thing we are doing right here this is just like a policy U what is the word AWS policy generator we are generating that the SCP here whatever change we're making on the right is building this policy here do you see that yes yeah we just added a resource called easy to St star star St instance star to for running instances the effect is denied so scroll we want is to and volumes so we want to add another resource hold on Mal back up a little bit just just just a second I just wanted to see something in the in there did it did it transfer what we just did to this to this script yes yes yes I I got lost a little where there was the white card okay that's say that again uh I got lost where here the start was okay we are going to do that for volumes pay attention volumes then you can do that for for for instances okay okay so we want to add another resource for volumes so click on ADD resource nine why would you having going into a new statement new statement St click yes are we justdating the resources or the adding a new no we don't not want a new statement I want a new resource can you can you clear that yeah I remember I cancelled go up and remove statements no yes the statement is highlighted you this last closing bracket yeah you have to remove it remove the please I don't want you to start the Bing this start this all over again you can remove the Comm on line 13 but there's a line 15 now you You' You' You' You' You' you've you've closed some Open Bracket you see that there's a problem with version verion yeah it's fixable we can fix it but please just start it all over again I don't want to spend some time here yeah yep yep yep no scroll down and cancel then start all over again he a stubborn he a stubborn child I'm done I'm done it's good now way good yes the syntax looks good man you have to edit and click the resource click in the resource resource click inside the resource it's going to that's it that's it add resource yes add resource I'm looking for volume volume good and we have to do the same thing for the Y cut Terry you had a problem with Y cards those look at what he's doing so we have all the K brackets are Place holders we want to replace that with Y cards don't take off the column the Y card will be in between the col yeah ter you good yes yes good so I click on ADD resource it should add now this resource to our resources that we applying the deny policy to are we good I was expecting a corus answer yes sir yes we I have a question this volume is is that like an EBS volume or it is an EBS volume so we are saying that please the statement is not complete but we want to deny creation of EBS volumes if those volumes are not also tagged okay because this we're trying to create um a tagging policy here you remember we said t is2 yes so now let's add the condition if you go back to it on the add resource there's an add condition so what is the condition we want to ensure that some specific TXS are applied to our is two instances or EBS volumes before they are created okay so we look for the uh condition key says AWS request tag so you can search or you can condition Keys type AWS AWS request T that's it right there wait wait wait wait wait one second so like there were two of them they were the global condition keys and the service level condition key that's what we want the service level condition Keys okay so we want the service level all right so I want AWS do request tag and the tag key we say cost center it could be whatever you want so add a tag key for cost center so talk call center is going to be a a key that is looking for every is2 instance you want to deploy does it make sense yes sir good and we want the qualifier to be default default where are you right is yeah oh what the default default is basically says Please by default look for this tag key and uh this tax in instances please do it all over again boy of greatness take it easy now oh you are choosing the global level can you double check there you go shouldn't it be the global girl go ahead I expect it to work T are you in the call yes I'm here so we have a request tag we want the tag key called consenter we want want a qualifier to be default and we want the operator to be string not equals so go to operator and we click on ADD condition what about value hey value yes so value this are sample values you can have 111 22 2 3 3 34 44 so whatever value you want to be you want your two instances to have so just no they are separated they eliminated with Commerce mind you H so basically can only be these values no this is just a simple value we are saying that each is to instance that you want to deploy or EBS volume you want to deploy it should have a tag key says called cost center and it should have a value either 111 222 33555 so in your environment the tax could be something else it could be name and the value could be this so AWS is going to request this tax for every resource you want to provision if it sees C Center 111 or 222 or 333 then it's going to create that result does it make sense um can you restrict um the values that maybe they can only pick the like a range of values to tag them to make it easier you you can possibly do that but that would also be you um um trying to build the conditions for it right so everything you you script then is going to evaluate it so go back this is what the operator does string not equals so what it means here is if it evaluate it and it doesn't find a string which is equals to C Center 111 or 222 or 3 3 3 it means the string is not equals to this then it's not going to create it's going to deny the creation of this resource does it make sense kind of so it has to be equal to it has to be equal to this exactly please like I said try to um um this conditions apply even to iron policies okay you can have iron policies that you you're roting on resources and you're putting all these different conditions in it can you add the condition and let's go back to it why are you adding anyway go ahead sir quick one I just wanted to know so if were if it was an allowed policy doesn't mean it was going to be string equal if was like we're defining an allow policy so if we defining an allow policy here what do you mean to allow the creation of this thing it has to be string the string must be equal to maybe call center 111 this is the opposite of string equals this is the operator which we are talking about string not equals we're going to you going to understand this condition case when we do a little bit of of of um operator when we do a little bit of of coding please go back let's create a condition and we evaluate the the the whole policy together okay do you see it now what is what is question can you leave the sorry can you leave the value um empty since it is optional right yes you can leave it empty but it's not going to solve our use case here what will it be doing in that case because if if if I do not put a condition here and I just read read the statement without please keep it steady read the state keep it steady Now read the statement without the condition and what does it tell you if I read the statement without this condition it just says that deny deny is2 run E2 instances on every resource on on every is2 instance and on every EBS volume what does that tell you it means it's just going to deny creation of is2 instances yeah so the condition is what gives you the logic to create each two instances based on certain criteria so the condition now says that if the string is not equals to where's my erasor if the string is not equals to Key C Center and value 1 one1 or 222 or 3 3 3 or 444 if the string is not equals to this condition then this applies okay and pro these are the tags we put on the ec2 instan these are the tags that we have to put on the ec2 instanes so if you an is2 instance now and he has a TX says call center and a value says 111 it means the string is equal to that then that condition doesn't apply that's the string not equals to does you understand do you understand yeah but if you put string equals to it means that if you create any2 instance with call center 111 then it's going to deny are we together please take some time and go through this AWS difficult condition condition stuff we can have a workshop to play around with it sometime this is allow Prof this is an allow thing it's a deny it's a den a doesn't mean that any any that we create um it has to be equal it has to these conditions in terms of be 111 22 3 3 3 4 this is a list you remember that the value is a list so any of the values that are in the list will be affected affected so if the key is cost center and the value is one one or is 222 is 333 then the string is equals to this and they deny effect will not be implemented got so Prof I have a question so if if for example we we've used this um policy for a while and then we now added and some more tags um say we added um 1212 can we come in here and edit this particular policy to this condition to add that that new um tag number value yeah you no remember this is just the condition for creating the resource that it doesn't stop the resource from having additional tax so you can have the TXS that you then want to use for your resource uh groups or you want to use for your SSM patching but this is the condition for creating the resource if this if that resource does not fulfill this condition it will not be created so in that case for example if I want to have a resource Group for my SSM patching I can have multiple TX you remember these two instances EB volumes support multiple tax right but just ensure that one of those taxes this this before it will be created okay does it make sense yeah Victor you do not look so if for example you have a small company um your company now grows and the to instances actually um I understand grow somehow um in a way because your SC and you know spreading so and I only had initially I only had two tags right 111 and 222 and I think maybe I should create 333 or 444 I can't edit this policy to you can edit you can you can create a new SCP after the fact and apply it however you do not need to do that it needs just one of this it meets this condition then it's going to create that result um does it make sense yeah sir for um um for this example that we doing in the wrun book what if based on Mal's um condition what if I created a resource with a t um C Center 00 which is not in this in this is it going to create or is going to deny I expect it to deny deny if it doesn't deny it then we have to look our condition that's why as an engineer implement this value must be be part of this list okay thank you so as an engineer where you roll these things out that's why you when you go to a company they give you a Sandbox account you have to test it and make sure it's working before you roll it out yeah and the S account is for testing yeah when they give you every environment you go to they will give you a Sandbox I have my personal AWS account I have my company account so your company account is for you to test stuffs so that if there's any build the company PS it I'm testing things for their environment so I need a playground M MH just share me the account so I can test to the compy let's go okay so do you do we understand this policy yes good so now let's create the policy I think that's the last condition we want so you were saying of repeating volume I don't understand volume is already there you said repeat what do you mean by repeat no no no no please what do you mean by repeat no I don't want to create it I was saying something like repeat volume no when you had an error was what he was saying you to repeat it just start from the beginning but you've done it now it's there scroll down and create the policy so you can see that we have a new SCP code required is to tax now we have to select the policy go to actions attach policy so you can either attach it at the road like we said it will go to all accounts or we attach it at the level of the OU so we click on select OU o you go down to the individual accounts so you see if you go down to the account I can put it to this account or I can put it to uh def to or def or the so if you select the U level then you'll see that all the two accounts inside that OU are highlighted so let's put it at the level of the OU are we together yeah policy is making sense so that policy has been applied to all accounts inside that OU okay now he can switch into that account any of the account so go back to your OU take the account ID go back go back yeah children go down to children that's the account ID right there one is 98 the other one is 444 you can select any of them them copy that into your clipboard now we want to switch into one of the member accounts if you locked into this management account as a route you will not be able to switch so you need to be as an IM am user so click on this drop down menu here Swit switch R children from so we lcking into a completely new account so now we want to paste the account ID here we want to look for the role name that we are using in the member account it's called organizational access what something R so please I'm a bit lost I come back to you give me a second organizational account access rule I share it to you so remember that this rule was created in those member accounts it's in the chart so you need to paste the rowle here organizational account access what's wrong with the name are you is a um previous what um if a show this let me just Char wait wait wait there is a problem role name is required okay display name wait wait wait wait wait wait down give it a name a display name so we want to call it probably Dev one or here there is a spaces display name so we want to give it a uh call it Dev one or your so this would be be the ear as you see once you switch into the R into the account then you have to give it a you can this are option display color so go down to display color so this is how you display when you switch the row and you see the display color is red you know that this is danger be very careful most production environments will always have red as the display color that's the advice okay yeah are we all here no no sir so hold what's the problem what a problem how did you get to this particular what how did you get to this page let me show you where how to get to it this [Music] page so you go to your account you know your account itself give me a sec go to the organizations go back to organizations right here in the organizational unit um you have accounts in here and each account has an account ID so these are the account IDs for the accounts you have in your OU so you copy one of those account IDs into your clipboard because we will need it later so once you have an account in your clipboard you you come to this drop down menu at the top right ah and switch row there is an option here switch rows like I said if you're locked into this management account as a root user you will not have this option you cannot switch rows as a root user that's what I missed I missed once you click on switch roll then it gives you the option now to fill in this details you put in the account ID you put in the role name in the account that you want to switch into so by default AWS created this Ro for us you put in the display name whatever display name you want to represent that account is it a test is it a prod is it whatever account and we have a display color okay then you can switch Rule now there are plugins for example for me I have my organization we have more than three 300 accounts or something I cannot be doing this all the time if you want to switch from one account to another so they are plugins okay to do this stuff this AWS console does not support more than five because once you switch R then it keeps um record of the history for just a maximum of 5 AWS accounts the meane you go to the SE the oldest one is deleted from that history and stuff like that so we don't do that so they are plugins to to make your life easier so most browsers have their own plugins Google has it Safari has it and stuff so can we switch rle yeah what's the essence of of selecting the red color red color just basically to signify your danger so I for example personally all production accounts I have a red color yeah so once I see red I'm I'm careful so just clicking this is Dev though this is Dev so he can put Dev you can put blue you can put whatever that's there so it's optional it's optional okay let's go if you here then you just click on switch roll we should be able to switch into the new account so you see we in the new account if you look at the account ID here he called a Def One so you can see now you're not you're not looking at the moas 222 or something like that this is now a member account you can check confirm that by looking at the account ID and in the member account you cannot manage organizations AWS organizations here so that's why you have permission issues but we can go to ec2 so this is a brand new account right now so you can go to E2 instances interesting so in the each two instances you see there's nothing here because we have absolutely know history you have one Security Group because of the default VPC and the security group then we can launch an inst to instance so try by try launching an inst to instance with no T and see what happens asking for the name let's just call it so just use the default VPC you have an instant instance just give it a name call it web server call it Mula call it whatever and you use all the other settings as default Pro without Keir no no Keir we are not logging in we just want to see I expect it not to create because there is an SCP that's blocking it if it doesn't me those uh uh conditions yeah yeah my fail it fail good launch it and let's see the your failed message what does it say you're not authorized you're not author perform this operation so you can see that organization access rule Mula 222 is not author please give me a minute it's not authorized to perform run instances on resource days with an explicit deny in a service control policy do you see that yes yeah so the service control policy that is in the management account has denied you from implementing stuffs in your account so this is how you establish governance for example in my company apart from the our Engineers that are AWS uh have know how you have a lot of developers that also want their own accounts so each developer says okay I need an account to try things so you create accounts for them then this is how you control what they doing in their accounts using scps wow so they come back to you and they say oh this thing is not working it say it's not working because I don't want it to work for in your account as simple as that go and develop your code are we good yeah this is good so this fails now let's create an account an is to instance that confirms to the conditions okay so we launch another one so we launch another in instance with the right TXS right let's say web server [Music] two so you can you can see you have more to put tax is just going to look for one of the taxs that confirms to the condition keys that we passed so we call it 111 and we call the value cost Center cost center with so no sensitive the value is called Center and the I think the center is also case sensitive M so I think it's Capital C capital capital c of course capital c for Center was it yes sir good yeah so now you can launch just go ahead and launch M say expect this to fail you know why can you look at what happened so there's an is to run instances now the problem is volume can you see where I'm highlighting you do not talk AWS the EBS volume that is creates because you remember that when you're launching an instance it creates a road volume by default yes so you need to tack that volume so you go back and launch and ensure that the volume is tged interesting so where does it say volume in the in the AR yeah it's there I was highlighting it here this was what was highlighting did you people see the volume yes so that's where you tag the so you put the same um um call center key and 111 value and you add a resource right here somebody was showing it yes right here click on this resource then you look for volumes and you add it so it's going to propagate those TXS to volumes to Graphics to whatever things that you need to add T should I allow the instance what no no you want it on both instance and volume you want it on both instance and volumes you remember the conditions which we said we two different resources there instances and volumes so if you put it on volumes now it's going to tell you that the instan is lagging those TS yeah once this is done then we can launch the inst I expect it to create now remember these policies are in the management account this is the beauty of governance at skill so you can just put this and we propagate it to all the accounts down there so this is like what I was saying this is what uh my colleague did he just enabled the policies at an OU level and everything now was affected and all pipelines were failed and we T and some people were saying that we've been hacked by default we we've been hacked okay I guess I can stop the recording at this point you did like bringing a security exper to so no we went back to Cloud 3 a colleague and I one of my colleagues at the same level went back to Cloud trade and we looking for what happened Cloud trade locks every event and the management account for the past 30 days you remember so we went there and we were seeing what is happen what has been happening and we saw that somebody was playing with scps and we saw that this SBA was enabl in an o that it was not supposed to be there immediately we removed it and we saw who did it because when the communcation was going on he was quiet I guess he was scared and we saw who did it so in the call we just to ask him do you have a few minutes to join us on a call he said yes then we very politely we said oh we noticed in Cloud trade that you did this you did this you did this this is the problem that caused this okay next time just you know um mind how you enable this policies because they Tripper down to all the different environments and we discovered in that call that he did not really understand how AWS organizations work so in that it was also a teaching scenario for us okay 15 minutes we told him how this is how organizations work when you put this thing there this is how it happens then he was like ah ah okay okay so okay that was it then we had to give a report to management and the next day the management said we Le we learn by breaking because he was a jior colleague that's okay and everybody learned from that scenario so now all the all the junior colleagues know that do not play with our control tower setup because accounts that you do not even have access can be affected did it cost the organization money the outage from My Level I don't know maybe management and customers I don't think it cost us because it was just we doing operations we could not deploy our Cotes and stuff like that but the things that are there are already running it's just you now not being able to make changes I don't think we had any major issue from customer experience because how did we even notice that there is a problem I'm running my big bucket Pipeline and it's failing and I'm like hey is the first thing is I asked a colleague is there something wrong with Atlas is something wrong with their setup is big bucket having a problem generally then another colleag of mine say Yes um this is azure big bucket is not going on then in our let me stop the recording this is not part of all stuff that's feel that