Explanation

A service control policy SCP may have been implemented that limits the API actions that are available for Amazon S3. This will apply to all users in the account regardless of the permissions they have assigned to their user account.Another potential cause of the issue is that the permissions boundary for the user limits the S3 API actions available to the user. A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries. Bucket ACL is not correct Check the ACLs for all S3 buckets is incorrect. With a bucket ACL the grantee is an AWS account or one of the predefined groups. With an ACL you can grant read/write at the bucket level but list is restricted to the object level so would not apply to the bucket itself. The user has been unable to list any buckets in this case so an ACL is unlikely to be the cause. Bucket policies is not correct because check the bucket policies for all S3 buckets is incorrect. The user has not been granted access to any buckets, and the error does not list access denied to any specific bucket. Therefore, it is more likely that the user is not been granted the API action to list the buckets.

References

Explanation

Permission boundaries is not correct. Create cost allocation tags to define the cost center and project ID and allow 24 hours for tags to activate. Use permissions boundaries to restrict the creation of resources that do not have the cost center and project ID tags specified is incorrect. Permissions boundaries apply to user accounts but SCPs apply to entire AWS accounts and will be easier to enforce for all users. INCORRECT: Use Tag Editor to tag existing resources. Create cost allocation tags to define the cost center and project ID and allow 24 hours for tags to activate is incorrect. There is no mechanism here to enforce application of tags. Use an AWS Config rule to check for untagged resources. Create a centralized AWS Lambda based solution to tag untagged EC2 instances and RDS databases every hour using a cross-account role is incorrect. AWS Config can be used for compliance but a better solution would be to enforce tags at creation time. Using Lambda to tag the resources would be complex in terms of identifying which tags to add to which resources.

References

Explanation

To enable the required features you simply need to setup a single AWS organization in the parent account with all features enabled. The existing business unit AWS accounts can then be invited to join the organization. This setup will automatically enable consolidated billing which will ensure a single AWS bill is received in the parent account which has costs broken out by each AWS account. Service Control Policies (SCPs) can then be used to restrict the maximum available permissions to services and features that the parent company wishes to apply to the member accounts. Once applied, all users will be affected in the member accounts. Permission boundaries is not correct because it is applied to each business unit’s AWS account to define the maximum permissions available for services and features” is incorrect. Permissions boundaries are applied to IAM entities (users or roles), not to AWS accounts.

References

Explanation

“Allow IAM users to have AWSServiceCatalogEndUserFullAccess permissions. Assign the policy to a group called Endusers, add all users to the group. Apply launch constraints” is incorrect. Users do not need full access, read only is sufficient as it does not provide the ability for users to launch and manage products using their own accounts. The launch constraint provides the necessary permissions for launching products using an assigned role. “Grant IAM users AWSCloudFormationFullAccess and AmazonS3ReadOnlyAccess permissions. Add an Organizations SCP at the AWS account root user level to deny all services except AWS CloudFormation and Amazon S3” is incorrect. When launching services using CloudFormation, the principal used (user or role) must have permissions to the AWS services being launched through the template. This solution does not provide those permissions. “Define the infrastructure services in AWS CloudFormation templates. Add the templates to a central Amazon S3 bucket and add the IAM users that require access to the S3 bucket policy” is incorrect. This uses a central account but doesn’t have offer a mechanism to distribute the templates to accounts in AWS Organizations. It would also be very hard to manage access when adding users to bucket policies.

References

Explanation

“Create an OU for the master account and each member account. Move the accounts into their respective OUs. Apply an SCP to the master accounts’ OU with the Allow effect for the ec2:PurchaseReservedInstancesOffering” is incorrect. This is a complex setup and does not deny the relevant API actions from the member accounts. “Create an Amazon CloudWatch Events rule that triggers a Lambda function to terminate any Reserved Instances launched by member accounts” is incorrect. CloudWatch Events is not able to trigger based on EC2 Reserved Instance purchase actions. “Move all current member accounts to a new OU. Create an SCP with the Deny effect on the ec2:PurchaseReservedInstancesOffering action. Attach the SCP to the new OU” is incorrect. This will work for existing accounts but if new accounts are added and are not added to the same OU they will not inherit the policy.

References

Explanation

You can use AWS Budgets to track your service costs and usage within AWS Service Catalog. You can associate budgets with AWS Service Catalog products and portfolios. AWS Budgets gives you the ability to set custom budgets that alert you when your costs or usage exceed or are forecasted to exceed your budgeted amount. If a budget is associated to a product, you can view information about the budget on the Products and Product details page. If a budget is associated to a portfolio, you can view information about the budget on the Portfolios and Portfolio details page. When you click on a product or portfolio, you are taken to a detail page. These Portfolio detail and Product detail pages have a section with detailed information about the associated budget. You can see the budgeted amount, current spend, and forecasted spend. You also have the option to view budget details and edit the budget. Install the unified CloudWatch Agent on the RedShift cluster hosts. Track the billing metric data in CloudWatch and trigger an alarm when a threshold is reached is incorrect. This agent is used on EC2 instances for sending additional metric data and logs to CloudWatch. However, it is not used for budgeting.Create an AWS CloudTrail trail that tracks data events. Configure Amazon CloudWatch to monitor the trail and trigger an alarm when billing metrics exceed a certain threshold is incorrect. CloudTrail tracks API calls, it cannot be used for tracking billing data.Create an Amazon CloudWatch metric for billing. Create a custom alert when costs exceed the budgetary threshold is incorrect. Billing data is automatically collected, you cannot create a metric for billing but you can create an alarm.

References

Explanation

“Use Amazon CloudWatch to create a billing alarm that notifies managers when a billing threshold is reached or exceeded” is incorrect. There is no requirement to create billing alarms specified in the scenario. “Use AWS Savings Plans to configure budget thresholds and send alerts to management” is incorrect as this is not a service but a pricing model and cannot be used for sending alerts. “Configure custom budgets and define thresholds using AWS Cost Explorer” is incorrect. Cost Explorer is used for viewing cost related information but not for creating budgets.

References

Explanation

AWS Budgets gives you the ability to set custom budgets that alert you when you exceed (or are forecasted to exceed) your budget thresholds. ... From there, you can dive deeper using the same filters that you see in AWS Cost Explorer to set budgets based on more specific use cases.

References

Explanation

A SAML-based IdP can be created that integrates with AWS IAM. In this configuration you map IAM roles that are assumed by authenticated identities. These IAM roles must have the correct permissions for users. The users can then assume roles in the other AWS accounts in order to perform there. This solution centralizes the management of identities, federation, and permissions and allows the users to access each account as needed. The diagram below depicts how identity federation works between IAM and an on-premises IdP:

References

Explanation

The AWS best practice for this situation is to use an identity account to store all user and service accounts. You then create roles in the accounts you want to access and delegate permissions for the identity account users (or the whole account) to be able to assume the role. This provides centralized control of security identities. The configuration for cross-account access between two accounts is depicted below. In this diagram the user in account B (the identity account) is able to assume a role in account A (the resource account) and access an S3 bucket.

References

Explanation

Create a service control policy (SCP) that denies access to the specific set of services and apply the policy to the root of the organization” is incorrect. This would apply the SCP to the existing member accounts and any new accounts that are added which may not be desired. The best solution is to use an SCP to control access to the AWS services and apply that SCP to an OU that contains the member accounts. The SCP limits the maximum available permissions for the entire account and means users in that account will not be able to access the restricted services even if they have permissions to do so.

References

Explanation

There are three core requirements for this solution. The first two requirements are satisfied by adding each CloudFormation template to a product in AWS Service Catalog in a central AWS account and then sharing the portfolio with AWS Organizations. In this model, the central AWS account hosts the organizationally approved infrastructure services and shares them to other AWS accounts in the company. AWS Service Catalog administrators can reference an existing organization in AWS Organizations when sharing a portfolio, and they can share the portfolio with any trusted organizational unit OU in the organization tree structure. The third requirement is satisfied by using a permissions policy with read only access to AWS Service Catalog combined with a launch constraint that will use a dedicated IAM role that ensures least privilege access. Without a launch constraint, end users must launch and manage products using their own IAM credentials. To do so, they must have permissions for AWS CloudFormation, the AWS services used by the products, and AWS Service Catalog. By using a launch role, you can instead limit the end users’ permissions to the minimum that they require for that product.

References

Explanation

To enable the required features you simply need to setup a single AWS organization in the parent account with all features enabled. The existing business unit AWS accounts can then be invited to join the organization. This setup will automatically enable consolidated billing which will ensure a single AWS bill is received in the parent account which has costs broken out by each AWS account. Service Control Policies (SCPs) can then be used to restrict the maximum available permissions to services and features that the parent company wishes to apply to the member accounts. Once applied, all users will be affected in the member accounts.

References

Explanation

The only solution that works for both existing and future member accounts is to apply a Deny policy to the root of the organization. When you attach a policy to the organization root, all OUs and accounts in the organization inherit that policy which ensures that any new accounts that are added will inherit the policy automatically. SCPs affect only member accounts in the organization. They have no effect on users or roles in the management account (also known as the master account). Therefore, the users in the management account are able to purchase reserved instances. Note the following behavior in relation to policy inheritance: You can attach policies to organization entities (organization root, organizational unit (OU), or account) in your organization: When you attach a policy to the organization root, all OUs and accounts in the organization inherit that policy. When you attach a policy to a specific OU, accounts that are directly under that OU or any child OU inherit the policy. When you attach a policy to a specific account, it affects only that account

References

Explanation

You can apply continuous delivery practices to your AWS CloudFormation stacks using AWS CodePipeline. AWS CodePipeline is a continuous delivery service for fast and reliable application and infrastructure updates. CodePipeline builds, tests, and deploys your code every time there is a code change, based on the release process models you define. When using CloudFormation change sets you first create the change set which allows you to preview how proposed changes to a stack might impact your running resources. This creates a separate stack that can be used to view the changes and ensure the updates apply successfully. Then, once you’re happy with the changes the change set can be executed which will update the stack. You can use AWS CodeBuild to both build and test code. CodeBuild can be configured with custom scripts to run tests and the result of the tests can determine the subsequent actions such as proceeding to deployment.

References

Explanation

The most secure option presented is to use AWS Systems Manager Session Manager. Session Manager is a fully managed AWS Systems Manager capability that lets you manage EC2 instances, on-premises instances, and virtual machines (VMs) through an interactive one-click browser-based shell or through the AWS Command Line Interface (AWS CLI). Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. Session Manager also makes it easy to comply with corporate policies that require controlled access to instances, strict security practices, and fully auditable logs with instance access details, while still providing end users with simple one-click cross-platform access to your managed instances.

References

Explanation

A service control policy (SCP) may have been implemented that limits the API actions that are available for Amazon S3. This will apply to all users in the account regardless of the permissions they have assigned to their user account. Another potential cause of the issue is that the permissions boundary for the user limits the S3 API actions available to the user. A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.

References

Explanation

You can use tags to organize your resources, and cost allocation tags to track your AWS costs on a detailed level. After you activate cost allocation tags, AWS uses the cost allocation tags to organize your resource costs on your cost allocation report, to make it easier for you to categorize and track your AWS costs. By adding tags to all new resources, the management team will be better able to track costs and allocate costs to specific cost centers and projects. Service Control Policies (SCPs) can be used to limit the maximum available permissions in an account in AWS Organizations. SCPs are policies and conditional statements can be added. In this case an SCP can be created with a conditional statement that only allows resources to be created if they have a tag specified.

References

Explanation

The errors in the Lambda logs indicate that throttling is occurring. Throttling is intended to protect your resources and downstream applications. Though Lambda automatically scales to accommodate incoming traffic, functions can still be throttled for various reasons. In this case it is most likely that the throttling is not occurring in Lambda itself but in API calls made to Amazon Route 53. In Route 53 you are limited (by default) to five requests per second per AWS account. If you submit more than five requests per second, Amazon Route 53 returns an HTTP 400 error (Bad request). The response header also includes a Code element with a value of Throttling and a Message element with a value of Rate exceeded. The resolution here is to place the data for the DNS records into an SQS queue where they can buffer. AWS Lambda can then poll the queue and process the messages, making sure to batch the messages to reduce the likelihood of receiving more errors.

References

Explanation

The AWS CDK is a software development framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. You can use the AWS CDK to define your cloud resources in a familiar programming language. The AWS CDK supports TypeScript, JavaScript, Python, Java, and C sharp.Net. Developers can use one of the supported programming languages to define reusable cloud components known as Constructs. You compose these together into Stacks and Apps. The diagram below depicts how an AWS CDK application is constructed

References