{"id":1451,"date":"2025-02-11T07:33:43","date_gmt":"2025-02-11T07:33:43","guid":{"rendered":"https:\/\/192.168.1.3\/wordpress\/?p=1451"},"modified":"2026-01-26T08:11:54","modified_gmt":"2026-01-26T00:11:54","slug":"aws-solution-architect-professional-sap-c02-review-material-aws-organization-control-tower-and-billing-cost-management","status":"publish","type":"post","link":"https:\/\/mylinuxsite.com\/wordpress\/?p=1451","title":{"rendered":"AWS Solution Architect Professional (SAP-C02) Review Material &#8211; AWS Organization, Control Tower and Billing &#038; Cost Management"},"content":{"rendered":"\n<!--more-->\n\n\n\n<h3 class=\"wp-block-heading\"><strong>AWS Organization<\/strong><\/h3>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/docs.aws.amazon.com\/images\/organizations\/latest\/userguide\/images\/AccountOuDiagram.png\" alt=\"\"\/><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li>helps you centrally manage and govern your environment<\/li><li>allows you to:<ol><li>Create Accounts<\/li><li>Group Accounts<\/li><li>Apply Policies<\/li><li>Enable Services<\/li><\/ol><\/li><li>Organization Structure:<ul><li><strong>Organization<\/strong> &#8211; a collection of AWS accounts that you can manage centrally and organize into a hierarchical, tree-like structure<\/li><li><strong>Organizational unit (OU)<\/strong> &#8211; a group of AWS accounts within an organization. An OU can also contain other OUs enabling you to create a hierarchy.<\/li><li><strong><strong>Management account<\/strong><\/strong> &#8211; is the AWS account you use to create your organization<\/li><li><strong>Root<\/strong> &#8211; is contained in the management account and is the top-most container in your organization\u2019s hierarchy.<\/li><li><strong>Member account<\/strong> &#8211; is an AWS account, other than the management account, that is part of an organization<\/li><\/ul><\/li><li><strong>Feature Sets:<\/strong><ol><li><strong>All features (Recommended)<\/strong>:<ul><li>the default feature set can set central policies and configuration requirements<\/li><li>create custom permissions or capabilities <\/li><li>manage and organize your accounts under a single bill <\/li><li>delegate responsibilities to other accounts on behalf of the organization.<\/li><\/ul><\/li><li><strong>Consolidated billing<\/strong>: <ul><li>provide shared billing functionality <\/li><li>doesn&#8217;t include the more advanced features of AWS Organizations e.g. <strong>RCP<\/strong> and <strong>SCP<\/strong><\/li><li>switching from Consolidated billing to All Feature:<ol><li> all invited member accounts must approve the change by accepting the invitation that is sent when the management account starts the process.<\/li><\/ol><\/li><li><em><strong>you cannot migrate from all features to consolidated billing after all features is enabled.<\/strong><\/em><\/li><\/ul><\/li><\/ol><\/li><li><strong>Authorization Policies:<\/strong><ol><li><strong>Service control policies (SCPs)<\/strong>:<ul><li>principal-centric controls<\/li><li>manage permissions in your organization<\/li><li>central control over the maximum available permissions for the IAM users and IAM roles in your organization i.e. <em><strong>defines a permission guardrail<\/strong><\/em><\/li><li>do not grant permissions to the IAM users and IAM roles in your organization<\/li><li>there is no &#8220;<strong>Principal<\/strong>&#8221; element in the policy statement<\/li><li>default policy is <a href=\"https:\/\/us-east-1.console.aws.amazon.com\/organizations\/v2\/home\/policies\/service-control-policy\/p-FullAWSAccess\">FullAWSAccess<\/a><\/li><\/ul><\/li><li><strong>Resource control policies (RCPs)<\/strong>:<ul><li>offer central control over the maximum available permissions for <em>resources<\/em> in your organization<\/li><li>ensure <em>resources<\/em> in your accounts stay within your organization\u2019s access control guidelines<\/li><li>no permissions are granted by an RCP<\/li><li>defines a permissions guardrail, or sets limits, on the actions that identities can take on resources<\/li><li>there is a &#8220;<strong>Principal<\/strong>&#8221; element in the policy statement<\/li><li>default policy is <a href=\"https:\/\/us-east-1.console.aws.amazon.com\/organizations\/v2\/home\/policies\/resource-control-policy\/p-RCPFullAWSAccess\">RCPFullAWSAccess<\/a><\/li><\/ul><\/li><\/ol><\/li><li><strong>Management Policies:<\/strong><ol><li><strong>Declarative Policies<\/strong>:<ul><li>centrally declare and enforce your desired configuration for a given AWS service at scale across an organization<\/li><li>prevent noncompliant actions. For example:<ul><li>block public internet access to Amazon VPC resources across your organization<\/li><li>control the discovery and use of AMI<\/li><li>controls if Amazon EBS snapshots are publicly accessible<\/li><\/ul><\/li><\/ul><\/li><li><strong>Backup Policies:<\/strong><ul><li>centrally manage and apply backup plans to the AWS resources across an organization&#8217;s accounts<\/li><li>gives granular control over backing up your resources at whatever level your organization requires<\/li><\/ul><\/li><li><strong>Tag Policies:<\/strong><ul><li>standardize the tags attached to the AWS resources in an organization&#8217;s accounts<\/li><li>can specify that noncompliant tagging operations on specified resource types are&nbsp;<em>enforced<\/em>. In other words, noncompliant tagging requests on specified resource types are prevented from completing.<\/li><li><strong>Untagged resources or tags that aren&#8217;t defined<\/strong> in the tag policy<strong> aren&#8217;t evaluated<\/strong> for compliance with the tag policy.&nbsp;<\/li><\/ul><\/li><li><strong>Chatbot Policies:<\/strong><ul><li>control access to your organization&#8217;s accounts from chat applications such as Slack and Microsoft Teams<\/li><\/ul><\/li><li><strong>AI services opt-out policies<\/strong>:<ul><li>&nbsp;control data collection for AWS AI services for all the accounts in an organization.<\/li><\/ul><\/li><\/ol><\/li><li><strong>Trusted Access:<\/strong><ul><li>enable a supported AWS service that you specify, called the&nbsp;<em>trusted service<\/em>, to perform tasks in your organization and its accounts on your behalf.<\/li><li>allows the <em>trusted service<\/em> to create a&nbsp;<em>service-linked role<\/em>&nbsp;in every account in your organization whenever that role is needed<\/li><li>Example of Trusted Service:<ul><li><a href=\"https:\/\/us-east-1.console.aws.amazon.com\/organizations\/v2\/home\/services\/AWS%20Account%20Management\">AWS Account Management<\/a> <ul><li>allow customers to programmatically modify their account information and metadata using their organization<\/li><li>if enabled, can enable\/disable region<\/li><\/ul><\/li><\/ul><\/li><\/ul><\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>AWS Billing and Cost Management<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>can create a budget for the whole organization or per account.<\/li><li>Cost Explorer can be filtered by account in an organization (cannot filter by OU)<\/li><li>RI and Saving Plan Sharing:<ul><li>activated\/deactivated from <em><strong>Billing Preference<\/strong><\/em><\/li><\/ul><\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>AWS<\/strong> <strong>Control Tower<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Concepts and Terminologies:<\/strong><ul><li><strong>Landing zone:<\/strong>\u00a0A landing zone is a cloud environment that offers a recommended starting point, including default accounts, account structure, network and security layouts, and so forth. From a landing zone, you can deploy workloads that utilize your solutions and applications.<\/li><li><strong>Control:<\/strong>\u00a0A control (also known as a\u00a0<em><strong>guardrail<\/strong><\/em>) is a high-level rule that provides ongoing governance for your overall AWS Control Tower environment. Each control enforces a single rule. <strong>Preventive<\/strong> controls are implemented with <strong>SCPs<\/strong>. <strong>Detective<\/strong> controls are implemented with <strong>AWS Config <\/strong>rules. <strong>Proactive<\/strong> controls are implemented with <strong>AWS CloudFormation<\/strong> hooks<\/li><li><strong>Member account:<\/strong>\u00a0A member account belongs to the AWS Control Tower organization. The member account can be\u00a0<em>enrolled<\/em>\u00a0or\u00a0<em>unenrolled<\/em>\u00a0in AWS Control Tower<\/li><\/ul><\/li><li><strong>Controls:<\/strong><ul><li><strong>Mandator<\/strong>y:<ul><li>owned by AWS Control Tower<\/li><li>applied to every OU on your landing zone. <\/li><li>applied by default when you set up your landing zone<\/li><li>can&#8217;t be deactivated.<\/li><\/ul><\/li><li><strong>Proactive<\/strong>:<ul><li>check resources before they deployed<\/li><li>determine whether the new resources will comply with the controls that are activated in your environment.<\/li><li>scans your resources before they are provisioned, and makes sure that the resources are compliant with that control. <\/li><li>resources that are not compliant will not be provisioned. <\/li><li><strong>implemented by means of AWS CloudFormation hooks and they apply to resources that would be provisioned by AWS CloudFormation.  As a consequence, these controls may not affect requests that are made directly to services through some other means.<\/strong><\/li><li>status of a proactive control is PASS, FAIL, or SKIP. <\/li><\/ul><\/li><\/ul><ul><li><strong>Preventive:<\/strong> <ul><li>ensures that your accounts maintain compliance<\/li><li>disallows actions that lead to policy violations. <\/li><li>status of a preventive control is either\u00a0<strong>enforced<\/strong>\u00a0or\u00a0<strong>not enabled<\/strong>. <\/li><li>supported in all AWS Regions.<\/li><li>implemented using service control policies (SCPs), or resource control policies (RCPs), each of which are part of AWS Organizations.<\/li><\/ul><\/li><\/ul><ul><li><strong>Detective<\/strong>:<ul><li>detects noncompliance of resources within your accounts, such as policy violations, and provides alerts through the dashboard. <\/li><li>status of a detective control is either\u00a0<strong>clear<\/strong>,\u00a0<strong>in violation<\/strong>, or\u00a0<strong>not enabled<\/strong>. <\/li><li><strong>implemented using AWS Config rules.\u00a0<\/strong><\/li><li>apply only in those AWS Regions supported by AWS Control Tower.<\/li><\/ul><\/li><\/ul><\/li><\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[11],"tags":[],"class_list":["post-1451","post","type-post","status-publish","format-standard","hentry","category-aws-review-notes"],"_links":{"self":[{"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1451","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1451"}],"version-history":[{"count":14,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1451\/revisions"}],"predecessor-version":[{"id":1917,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1451\/revisions\/1917"}],"wp:attachment":[{"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1451"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1451"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1451"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}