Org should have:
- logging account - so that no one can edit or delete these.
- programmatic creation of other accounts
- reserved instances
- consolidated billing
- service control policies, eg. set limits on what an account can do.
Service Control Policies
SCP does not give permission, only takes it away.
AWS Resource Access Manager
RAM - free service to share resources across accounts in the organization.
Resources can be shared:
- transit gw
- vpc subnets
- License manager
- dedicated hosts
RAM vs VPC peering
Same region? -> RAM, otherwise VPC peering
Sharing resources - saves money
Cross Account Role Access
Role assumption is always temporary, which is more secure.
Instead of IAM users use roles.
Inventory Management with AWS Config
- query - you can discover what you have inside account
- enforce - rules can be created to act
- learn - query history of environment