AWS

Advanced Identity in AWS

Cập nhật 23/06/2026

  • #aws
  • #iam

Advanced Identity in AWS

Maarek SAA-C03 Slides v45 — Chapter 23. Personal study extract.

Key content

  • Advanced Identity in AWS
  • AWS Organizations
  • AWS Organizations
  • Root Organizational Unit (OU)
  • Management Account
  • OU (Dev)
  • Member Accounts
  • OU (Prod)
  • OU (HR) OU (Finance)
  • Organizational Units (OU) - Examples
  • Business Unit
  • Management
  • Account
  • Sales OU
  • Retail OU
  • Finance
  • OU
  • Sales
  • Account 1
  • Sales
  • Account 2
  • Retail
  • Account 1
  • Retail
  • Account 2
  • Finance
  • Account 1
  • Finance
  • Account 2
  • Environmental Lifecycle
  • Management
  • Account
  • Prod OU
  • Dev OU
  • Test OU
  • Prod
  • Account 1
  • Prod
  • Account 2
  • Dev
  • Account 1
  • Dev
  • Account 2
  • Test
  • Account 1
  • Test
  • Account 2
  • Project-Based
  • Management
  • Account
  • Project 1
  • OU
  • Project 2
  • OU
  • Project 3
  • OU
  • Project 1
  • Account 1
  • Project 1
  • Account 2
  • Project 2
  • Account 1
  • Project 2
  • Account 2
  • Project 3
  • Account 1
  • Project 3
  • Account 2
  • AWS Organizations
  • to the target account (does not allow anything by default – like IAM)
  • SCP Hierarchy
  • OU (Root)
  • Management Account
  • OU (Sandbox)
  • OU (Test)
  • Account A
  • Account D
  • FullAWSAccess
  • Deny Athena
  • FullAWSAccess + Deny S3
  • FullAWSAccess + Deny EC2
  • Sandbox OU)
  • Sandbox OU)
  • Account B
  • Account C
  • OU (Workloads)
  • OU (Prod)
  • Account E
  • Account F
  • FullAWSAccess
  • Allow EC2
  • FullAWSAccess
  • SCP Examples
  • Blocklist and Allowlist strategies
  • More examples:
  • AWS Organizations – Tag Policies
  • AWS Organization
  • maintain proper resources categorization, …
  • Attribute-based Access Control
  • specified services and resources (has no effect
  • on resources without tags)
  • compliant resources
  • IAM Conditions
  • aws:SourceIp
  • restrict the client IP from
  • which the API calls are being made
  • aws:RequestedRegion
  • restrict the region the
  • API calls are made to
  • IAM Conditions
  • ec2:ResourceTag
  • restrict based on tags
  • aws:MultiFactorAuthPresent
  • to force MFA
  • IAM for S3
  • arn:aws:s3:::test
  • s3:DeleteObject applies to
  • arn:awn:s3:::test/*
  • Resource Policies & aws:PrincipalOrgID
  • access to accounts that are member of an AWS Organization
  • S3 Bucket
  • (2022-financial-data)
  • AWS Organization
  • (o-yyyyyyyyyy)
  • Member Accounts
  • User outside Organization
  • IAM Roles vs Resource Based Policies
  • User
  • Account A
  • Amazon S3
  • Role
  • Account B
  • User
  • Account A
  • Amazon S3
  • S3 Bucket
  • Policy
  • IAM Roles vs Resource-Based Policies
  • original permissions and take the permissions assigned to the role
  • permissions
  • and dump it in an S3 bucket in Account B.
  • Amazon EventBridge – Security
  • permissions on the target
  • SNS, SQS, S3 buckets, API
  • Gateway…
  • Systems Manager Run
  • Command, ECS task…
  • EventBridge
  • Rule Lambda with

…143 more lines in source.

Study checklist