Browse through the questions and answers listed below or filter and sort to narrow down your results.
1
answers
0
votes
10
views
asked 6 days ago
2
answers
0
votes
7
views
asked a month ago
1
answers
0
votes
3
views
asked a month ago
1
answers
0
votes
11
views
asked 2 months ago
1
answers
0
votes
7
views
asked 2 months ago
1
answers
0
votes
7
views
asked 2 months ago
1
answers
0
votes
13
views
asked 3 months ago
0
answers
0
votes
7
views
asked 3 months ago
2
answers
0
votes
37
views
asked 3 months ago
3
answers
0
votes
7
views
asked 4 months ago
1
answers
0
votes
6
views
asked 4 months ago
2
answers
0
votes
43
views
asked 4 months ago
1
answers
0
votes
18
views
asked 4 months ago
3
answers
0
votes
43
views
asked 6 months ago
AWS Backup in the Management Account
AWS Backup in AWS Organization can be managed only with the Management Account.
So, do we just need to create a role in this account, which can be assumed by any other account?
Are there limitations with this approach ?
Accepted AnswerAWS Organizations
1
answers
0
votes
5
views
asked a year ago
1
answers
0
votes
8
views
asked 2 years ago
Using company (corporate) card as primary payment means
We are transferring one of AWS accounts under a company's (organization's) account, and we plan to use corporate card to pay the AWS bills.
Company is based in Russian Federation. Should we expect any problems paying with corporate card:
- whether the taxes are added automatically to our bills
- whether such a card is accepted as payment means
- whether the base currency of RUR is OK with AWS
?
Thanks.
Accepted AnswerAWS Organizations
1
answers
0
votes
0
views
asked 2 years ago
Tagging policy at account level
I tried to define a tagging policy (for ec2 instance) at Org level and have attached to a child account. JSON looks something like below. I’m not able to see any tags after instance creation in the child account. However, if I try to manually add the tag for same key, it does evaluate as per the policy .
Say - I can define a tag with key as ‘Function’ and value as ‘Devops’ , I’m not allowed add a tag with other value with the Function as key . Is this the expected behaviour, any leads ?
{
"tags": {
"Function": {
"tag_key": {
"@@assign": "Function"
},
"tag_value": {
"@@assign": [
"Devops",
"DevOps"
]
},
"enforced_for": {
"@@assign": [
"ec2:elastic-ip",
"ec2:instance",
"ec2:volume"
]
}
},
"Name": {
"tag_key": {
"@@assign": "Name"
},
"enforced_for": {
"@@assign": [
"ec2:instance"
]
}
},
"Instance Owner": {
"tag_key": {
"@@assign": "Instance Owner"
},
"tag_value": {
"@@assign": [
"*example.com"
]
},
"enforced_for": {
"@@assign": [
"ec2:instance"
]
}
}
}
}
Accepted AnswerAWS Organizations
1
answers
0
votes
4
views
asked 2 years ago
Enforcing Tag Policies on existing instances
A customer is using tagging policies and enforcing them SCP, so that an instance can't run unless it's tagged with relevant required tags.
If they were to attach that SCP, currently triggered on ec2:RunInstances, to an account with already running instances and potentially untagged or tagged in a non-compliant way, what would happen? Would it stop the instances or only prevent them from restarting once stopped?
Accepted AnswerAWS Organizations
1
answers
0
votes
3
views
asked 2 years ago
Can I create a child AWS account and prevent the master from accessing it?
Here is the use case we're considering:
We'd like to make RDS DB backups to a separate AWS account which is completely isolated from our main account (e.g. the login credentials would be written on a piece of paper and stored in a safe).
The idea being that even if our main AWS account was compromised, an attacker couldn't also destroy the DB backups.
Obviously we could just create a one-off AWS account, but it would be nice to have the child account still share the same billing control panel, but nothing else.
Essentially, I want it so that the master account does NOT have access to anything in the child account, except billing information.
Is it possible to do this?
I experimented with removing the `OrganisationAccountAccessRole` from the child account, and this seemed to prevent users from the master account from assuming that role in the child account. But, is this enough? Could an attacker re-add this role somehow if they compromised the master account?
Thanks!
Accepted AnswerAWS Organizations
1
answers
0
votes
0
views
asked 3 years ago