Domain | % of exam |
---|---|
Domain 1: Design Secure Architectures | 30% |
Domain 2: Design Resilient Architectures | 26% |
Domain 3: Design High-Performing Architectures | 24% |
Domain 4: Design Cost-Optimized Architectures | 20% |
Total | 100% |
This diagram shows how AWS IAM works:
This link is useful for code relating to AWS Certified Solutions Architect: https://github.com/nealdct/aws-csaa-code
Here, we will learn everything you need to know to pass your AWS Certified Solutions Architect Associate exam. What we will learn:
- how to design and build multi-tier web architectures with services such as Amazon EC2 Auto Scaling, Amazon Elastic Load Balancing (ELB), AWS Route 53, AWS Lambda, Amazon API Gateway and Amazon Elastic File System (EFS)
- how to create Docker container clusters on Amazon Elastic Container Services (ECS), set up serverless event-driven AWS Lambda Functions with Amazon API Gateway and Amazon Kinesis integrations, and geographically redundant database services with Amazon Relational Database Service (RDS)
- how to configure Amazon Virtual Private Clouds (VPC), subnets, and route tables and setup best practice Security Group configurations
- how to build repeatably and securely with AWS CloudFormation, set up a PaaS with AWS Elastic Beanstalk, configure Amazon S3 bucket policies and share data between multiple AWS accounts
- how to use application integration services including AWS Step Functions, Amazon MQ, SNS, SWF and SQS
The identity and access principals are used to check authentication. The principals can then create resources across AWS regions according to the authorization of the principal.
A group is a way of organizing users. We then attach the policy to the user group. The user gains the policies added to the group. Identity based policies define the permissions applied to the group through the policy. Roles are used for delegation and are assumed. Policies define the permissions for the identity or the resources they are associated with. The root user has full permissions. It is a best practice to avoid using the root user account + enable MFA. You can create up to 5000 individual user accounts in IAM. Users have no permissions by default. Each user will have a friendly name and an Amazon Resource Name (arn):
arn:aws:iam:6453234333532:user/Andrea
Access keys or username/password can be used for authentication. We collect users in a group and then apply the permissions to users using policies. IAM roles are identities in IAM that have specific permissions. Roles are assumed by users, applications and services:
sts:AssumeRole
Once assumed, the identity becomes the role and gains the role's permissions. IAM policies are documents that define permisssions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Bucket policy example:
{
"Version": "2012-10-17",
"Id": "Policy1237456175634",
"Statement": [
"Sid": "Stmt1237456175634",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:1237456175634:user/Paul"
},
"Action": "s3:*",
"Resource": "arn:aws:s3::dctcompany",
"Condition": {
"StringLike": {
"s3:prefix": "Confidential/*"
}
}
]
}
You can use Username and Password to log into the AWS Management Console. To log in through the CLI or API we use Access key ID and secret. Multifactor authentication: Something you know -> Something you have -> Something you are
In order for an EC2 instance to access an application we can add an Instance Profile. In the profile we have a trust policy and a permissions policy. The Trust policy can look like this:
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
Trust policies control who can access the role.
Identity based policies are JSON permissions policy documents that control waht actions an identity can perform, on which resources, and under what conditions. We can create inline policies for specific users and roles. We can also have managed policies which can be managed by AWS or the account owner. The managed policies can be attached to users, groups or policies.
Resource based policies are JSON policy documents that we can attach to a resource such as an AWS S3 bucket:
{
"Version": "2012-10-17",
"Id": "Policy1237456175634",
"Statement": [
"Sid": "Stmt1237456175634",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:1237456175634:user/Paul"
},
"Action": "s3:*",
"Resource": "arn:aws:s3::dctcompany",
"Condition": {
"StringLike": {
"s3:prefix": "Confidential/*"
}
}
]
}
Resource based policies grant the specified principal permission to perform specific actions on the resource. For instance this policy allows the user to perform any action on s3. We can also attach resource based policies to the IAM role. A trust policy is also an example of a resource based policy.
The permissions boundary sets the maximum permissions that the entity can have:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"cloudwatch:*",
"ec2:*"
],
"Resource": "*"
}
]
}
Here the permissions boundary means that although the user has full control of S3, CloudWatch, EC2 and IAM the permissions boundary means that she does not have permissions to allow an application to use S3 for instance. You don't get granted permissions through a permissions boundary but permissions boundary controls the privilege escalation.
This is a useful overview of the logic for permissions:
Request context includes:
- Actions - the actions or operations the principal wants to perform
- Resources - the AWS resource object upon which actions are performed
- Pincipal - The user, role, federated user, or application that sent the request
- Environment data - Information about the IP address, user agent, SSL status, or time of day
- Resource data - Data related to the resource that is being requested
Types of policy:
- Identity-based policies - attached to users, groups or roles
- Resource based policies - attached to a resource and define permissions for a principal accessing the resource
- IAM permissions boundaries - set the maximum permissions an identity-based policy can grant an IAM entity
- AWS Organizations service control policies (SCP) - specify the maximum permissions for an organization
- By default, all requests are implicitly denied (though the root user has full access)
- An explicit allow in an identity based or resource based policy overrides this default
- If a permissions boundary, Organizations SCP, or session policy is present, it might override the allow with an implicit deny.
- An explicit deny in any policy overrides any allows
"Statement": [
{
"Effect": "effect",
"Action": "action",
"Resource": "arn",
"Condition": {
"condition": {
"key": "value"
}
}
}
]
This is an example of a policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
This is a more complex example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [ "ec2:TerminateInstances" ],
"Resource": [ "*" ]
},
{
"Effect": "Deny",
"Action": [ "ec2:TerminateInstances" ],
"Condition": {
"NotIpAddress": [
"aws:SourceIp": [
"192.0.2.0/24",
"203.0.113.0/24"
]
]
},
"Resource": [ "*" ]
}
]
}
Here the specific API action is defined. It is permitted for all resources. There is also a conditional deny if the IP address is not in the specified range. Only people in an office can terminate the resource.
The IAM policy simulator is useful for checking and creating user permissions: https://policysim.aws.amazon.com/home/index.jsp?#
- Require human users to use federation with an identity provider to access AWS using temporary credentials
- Require workloads to use temporary credentials with IAM roles to access AWS
- Require multifactor authentication (MFA)
- Rotate access keys regularly for use cases that require long-term credentials
- Safeguard your root user credentials and don't use them for everyday tasks
- Apply least-privilege permissions
- Get started with AWS managed policies and move toward least-privilege permissions
- Use IAM Analyzer to generate least-privilege policies based on access activity
- Regularly review and remove unused users, roles, permissions, policies and credentials
- Use conditions in IAM policies to further restrict access
- Establish permissions guardrails across multiple accounts
- Use permissions boundaries to delegate permissions management within an account
Requirement | Solution |
---|---|
A select group of users only should be allowed to change their IAM passwords | Create a group for the users and apply a permissions policy that grants the iam:ChangePassword API permission |
An Amazon EC2 instance must be delegated with permissions to an Amazon DynaoDB table | Create a role and assign a permissions policy to the role that grants access to the database service |
A company has created their first AWS account. They need to assign permissions to users based on job function | Use AWS managed policies that are aligned with common job functions |
A solutions architect needs to restrict access to an AWS service based on the source IP address of the requestor | Create an IAM permisssions policy and use the Condition element to control access based on source IP address |
A developer needs to make programmatic API calls from the AWS CLI | Instruct the developer to create a set of access keys and use those for programmatic access |
A group of users require full access to all Amazon EC2 API actions | Create a permissions policy that uses a wildcard for the Action element relating to EC2 (ec2:*) |
- IAM is used to securely control individual and group access to AWS resources
- IAM makes it easy to provide multiple users secure access to AWS resources
- IAM can be used to manage:
- Users
- Groups
- Access policies
- Roles
- User credentials
- User password policies
- Multifactor authentication (MFA)
- Generate API keys for programmatic access
- By default, new users are created with NO access to any AWS services - they can only log into the AWS console
- Permission must be explicitly granted to allow a user to access an AWS service
- IAM users are individuals who have been granted access to an AWS account
- IAM is universal (global) and does not apply to regions
- IAM is eventually consistent
- Authentication methods:
- Console password - use to login to the AWS management console
- Access keys - used for programmatic access
- Server certificates - use SSL / TLS access
- IAM users represent a person or service
- Root user credentials are email address to create the account
- root account has full administrative permissions
- IAM users can be created to represent applications and are known as service accounts
- We can have upto 5000 users per AWS account
- IAM groups:
- groups are collections of users and have policies attached to them
- A group is not an identity and cannot be identified as a principal in an IAM policy
- Use groups to assign permissions
- IAM roles:
- created and assumed by "trusted" entities
- delegate permissions
- Security Token Service (STS) allows us to obtain temporary security credentials
- IAM policies:
- documents can be applied to users, groups and roles
- The most restrictive policy is applied
- Types of IAM policy:
- Identity based policies
- Resource based policies
- IAM permissions boundaries - set the maximum permissions an identity based policy can grant to an IAM entity
- Organization service control policies specify maximum permissions for an organization
- IAM best practices:
- lock root access
- create users
- use groups
- grant least privilege
- use customer managed policies not inline policies
The computer finds servers by IP address. Computers use HTTP protocol. There is also a Port which is the door into the server. HTTP port is 80. HTTPS port is port 443. Depending on the service the protocol would change. A microsoft server would use SMB/CIFS on port 445. SMTP for email would use port 25. Servers also speak to other servers such as databases. MySQL uses 3306. Client to server or server to server uses ports and protocols and networking.
This link is quite good for the OSI model: https://www.geeksforgeeks.org/layers-of-osi-model/
Layer 1 is the physical layer. Layer 2 uses Media Access Control Addresses so that computers can communicate with each other.
Layer 3 is the Network Layer. The Router allows computers on a network to communicate with each other. The routers find the best
path to the destination. Layer 4 is the transport layer. TCP uses a Syn, Syn-Ack, Ack handshake. UDP has no standard connection.
At level 1 we have bits. At level 2 we have frames. At level 3 we have packets. Transport layer uses segments.
All People Seem to Need Data Processing:
In the cloud we do deal with network and transport layer for IP addresses and ports we want open. Tools like Wireshark can be useful for getting information about requests and responses.
Addresses that can be used for private ranges:
Class A: 10.0. 0.0 to 10.255. 255.255.
Class B: 172.16. 0.0 to 172.31. 255.255.
Class C: 192.168. 0.0 to 192.168. 255.255.
ipconfig /all ping arp -a route print netstat -ano tracert
To install net tools: sudo apt install net-tools
ifconfig ip a ping arp route -v netstat -apn
sudo apt install openssh-server
ssh @
sudo apt-get install vsftpd
sudo nano /etc/vsftpd.conf
anonymous_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES chown_uploads=YES chown_username=ftp anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES
sudo systemctl restart vsftpd
sudo touch /srv/ftp/my-ubuntu-file.txt
- open
- User name is: anonymous
- Password is blank
get my-ubuntu-file.txt
Here we define access to the bucket and access to the objects within the bucket.
With horizontal scaling each instance is identical to the AMI it is linked to.
us-east-1a: http://44.213.104.159/ us-east-1b: http://34.239.133.144/
So the CIDR blocks simply defines which part of the address space defines the network and which part is for hosts. We can manipulate how many bits are available for hosts, to a degree. There is a LOT more detail to this.
https://www.subnet-calculator.com
https://aws.amazon.com/cloudformation/resources/templates/
Note: You could do something like this to add it to the user data: #!/bin/bash yum install -y httpd systemctl start httpd systemctl enable httpd cat << EOF > /var/www/html/index.html
<title>Static Website</title>This static website is running on Amazon S3
EOF- Amazon Athena (query data in S3 using SQL)
- Amazon CloudSearch (managed search service)
- Amazon Kinesis (analyse real time video and data streams)
- Amazon OpenSearch Service (search, visualize and analyse petabytes of text and data)
- Redshift (data warehousing)
- AWS Budgets (set custom cost and usage budgets)
- AWS Cost and Usage Report (access comprehensive cost and usage information)
- AWS Cost Explorer (analyse cost and usage)
- Reserved instance reporting
- Savings plans
- Amazon EC2 (virtual servers in the cloud)
- Amazon EC2 auto scaling (scale compute capacity to meet demand)
- Amazon Elastic Container Service (scalable containers)
- Elastic Kubernetes Service (Kubernetes)
- Amazon Lightsail (launch private virtual servers)
- Elastic Container Registry (store containers)
- ECS
- EKS
- AWS copilot - easiest way to launch and manage containerized application on AWS
- AWS Fargate - Serverless compute for containers
- Amazon Aurora - high performance managed relational database
- Amazon DynamoDB - managed NoSQL database
- Amazon ElastiCache (in memory caching service)
- Amazon RDS (managed relational database service for MySQL, PSQL, Oracle, SQL Server, MariaDB)
- Amazon Redshift (data warehousing)
- Amazon API Gateway (manage APIs)
- AWS AppSync (accelerate app dev with GraphQL APIs)
- AWS Device Farm (test Android, IOS and web apps on real devices in the AWS cloud)
- Amazon Location Service (location data for applications)
- AWS Amplify (build, deploy, host and manage web and mobile apps)
- AWS IoT Core (connect devices to the cloud)
- AWS IoT FleetWise (collect transform and transfer vehicle data to the cloud in real time)
- AWS IoT SiteWise (IoT data collector and interpreter)
- AWS IoT TwinMaker (optimize operations by creating digital twins of real-world systems)
- AWS IoT Greengrass (local compute, messaging and sync for devices)
- Amazon Bedrock - foundation models
- Amazon Comprehend - insights and relationships in text
- Amazon polly - text into lif-like speech
- Amazon Rekognition - image and video analysis
- Amazon SageMAker - build, train and deploy machine learning models at scale
- Amazon API gateway - build, deploy and manage APIs
- Amazon CloudFront - global content delivery network
- Amazon Route 53 - scalable domain name system
- Amazon VPC - isolated cloud resources
- Elastic Load Balancing (ELB) - distribute incoming traffic across multiple targets
- Amazon Cognito - Identity management for apps
- Amazon GuardDuty - managed threat detection service
- AWS Identity and Access Management - secure access management for services and resources
- AWS Key Management Service (KMS) Managed creation and control of encryption keys
- AWS WAF - filter malicious web traffic
- Amazon S3 - object storage built to retrieve any amount of data from anywhere
- Amazon DynamoDB - managed NoSQL database
- AWS Lambda - Run code without thinking about servers
- AWS Fargate - serverless compute for containers
- Amazon API Gateway - build, deploy and manage APIs
- Amazon Elastic Block Store - EC2 block storage volumes
- Amazon Elastic File System (EFS) - file system management for EC2
- Amazon S3 - object storage
- AWS backup - centralised backup across AWS services
- AWS Storage Gateway - hybrid storage integration
- Domain Name system
- EC2 Auto Scaling
- Elastic Load Balancing
- DNS resolves IP address to a domain name
- scaling up => more CPU, Ram / storage
- Some instances have 100s of CPUs
- Problem with instance is it leaves a lot to fail at once
- Scaling out is safer
- Scaling out => more instances
- scaling out has no limit - best practice
These instructions are useful for deploying an auto scaling group: https://github.com/TomSpencerLondon/digital-cloud/blob/main/6%20DNS%20-%20Auto%20Scaling%20and%20Load%20Balancing/Commands%20and%20Instructions.md
IAM roles are better than access keys - they are more secure
- Cluster - packs instances close together inside an AZ. This strategy enales workloads to achieve the low-latency network performance necessary for tightly-coupled node-to-node communication that is typical of HPC applications
- Partition - spreads instances across logical partitions so that groups of instances in one partition do not share the underlying hardware with groups of instances in different partitions. This strategy is typically used by large distributed and replicated workloads, such as Hadoop, Cassandra and Kafka
- Spread - strictly places a small group of instances across distinct underlying hardware to reduce correlated failures
This is the link for the course: https://digitalcloud.training/aws-saa-module-03-jun23-6b9d/
The measurement of Availability is driven by time loss whereas the measurement of Reliability is driven by the frequency and impact of failures.
Diagramming tools: https://aws.amazon.com/architecture/icons/
Useful uptime calculator: https://uptime.is/
Low Recovery Point Objective and Recovery Time Objective both low for the above architecture. The cost is now $11770 a month.
Creating a bastion host involves connecting to the instance in the public subnet which then connects to the private subnet.
We will look at implementing this in this next section.
This link is useful for setting up a bastion host to a server in a private subnet: https://digitalcloud.training/ssh-into-ec2-in-private-subnet/
tom@tom-ubuntu:~/Desktop$ chmod 400 my-ec2.pem
tom@tom-ubuntu:~/Desktop$ ssh-add my-ec2.pem
Identity added: my-ec2.pem (my-ec2.pem)
tom@tom-ubuntu:~/Desktop$ ssh -A ec2-user@172.31.9.49
^C
tom@tom-ubuntu:~/Desktop$ ssh -A ec2-user@100.27.48.209
The authenticity of host '100.27.48.209 (100.27.48.209)' can't be established.
ED25519 key fingerprint is SHA256:gXZaCc4wZjNhvgjwcEgZGYNW4aoZs1YbLR1jeGqzG9w.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '100.27.48.209' (ED25519) to the list of known hosts.
, #_
~\_ ####_ Amazon Linux 2023
~~ \_#####\
~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
[ec2-user@ip-172-31-9-49 ~]$ ssh ec2-user@172.31.81.221
The authenticity of host '172.31.81.221 (172.31.81.221)' can't be established.
ED25519 key fingerprint is SHA256:rhrP5HeIPq9XJMAnkEcUA6ssVCp5tuZMs1HVCg0mkYA.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.31.81.221' (ED25519) to the list of known hosts.
, #_
~\_ ####_ Amazon Linux 2023
~~ \_#####\
~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
[ec2-user@ip-172-31-81-221 ~]$
Here we have connected to our public instance and then used this public instance to connect to the instance in the private subnet.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html
- Nitro is the underlying platform for the next generation of EC2 instances
- Support for many virtualized and bare metal instance types
- Breaks functions into specialized hardware with a Nitro Hypervisor
- Specialized hardware including:
- Nitro cards for VPC
- Performance, security and innovation - HPC
- Nitro Enclaves - security - isolated and hardened virtual machines
https://digitalcloud.training/amazon-ec2/
https://digitalcloud.training/amazon-vpc/
Build your skills, test yourself, and practice in a sandbox environment with the following recommended Challenge Labs:
Can You Implement a Repeatable Compute Layer with EC2? [Advanced] Connect to an EC2 Instance by Using RDP [Guided] Create a Custom AMI from an Existing EC2 Instance [Guided] Can You Configure a Resilient EC2 Server Farm? [Expert]
- first stage of migration
- helps to determine how prepared you are as an organization to begin migration to AWS
- Enables formulation of goals and objectives
- Present an effective business case
- Services:
- Migration evaluator
- AWS Migration Hub
- Emphasis on detailed migration planning and strategy
- helps to define migration strategies consiting of
- relocate
- repurchase
- rehost
- retire
- replatform
- retain
- refactor
- Identifies any skills gaps in your workforce
- Services
- AWS Application Discovery Service
- AWS control tower
- used to design your deployments and solutions
- identify any dependencies and understand interconnectivity required
- validate designs
- Services
- AWS migration for DBs and applications
- AWS Application Discovery Service
- AWS Database Migration Service (AWS DMS)
- AWS migration services used for migration of data:
- AWS Transfer family
- AWS dataSync
- AWS Snow Family
- AWS Service Catalog
- AWS migration for DBs and applications
- AWS migration evaluator
- baseline premises environment
- projects cost using cost modeling and data analysis
- accelerates successful digital transformation to AWS
- compute storage and microsoft licenses
- keep expenditure low for migration
- recommendations of resources
- reduce costs by 50%
- Agentless collector tool
- AWS Migration Hub
- Quick insight report
- highlighting recommendations
- projected and expected costs
- issues found
- Dashboard overview of migration project
- discover and migrate services
- Powerful for overview
- Run from AWS management console
- discover and audit server inventory
- Migration hub import
- Migration evaluator collector
- AWS Agentless Discovery Connector
- AWS Application discovery agent
- Understand the environment
Two services:
- AWS Application Discovery Service
- AWS Migration Hub
- Amazon Athena
- Amazon QuickSight
- Agent based discovery / agentless discovery
- Agent installed across fleet of servers
- When Agent registered - connects to AWS Application discovery and AWS Migration hub
- TLS connection
- Agentless discovery - AWS discovery connector
- Gets information on each VM
- Connector with .ova file connects to AWS Application discovery service + AWS migration hub - only every 60 minutes
- AWS Control Tower
- Multi account strategy for migration
- Landing zone - multi account architecture follows well architected framework
- Created from a series of blueprints
- Root OU, Core OU
Servers, database and applications
- AWS Application Migration Service
- AWS Database Migration Service
- AWS Service Catalog
Data Migration
- AWS Transfer family
- AWS DataSync
- AWS Storage Gateway
- AWS Snowball Edge
- migrate applications with minimal downtime and interruption
- Lift and shift approach
- Converts physical machines to run on AWS
- AWS replication service - workflow for the migration
- Effective migration for databases
- From and to databases
- Move data to Amazon Redshift
- AWS Schema conversion tool
- Endpoints created - replication tasks to move data
- AWS service catalog
- Allows end users to select pre-approved services
- AWS Service Catalogue
- service allows easy transfer of data from on premises
- AWS S3
- AWS Amazon Elastic File System
- Amazon FSx for Windows File Server
- AWS Snowcone
https://digitalcloud.training/courses/aws-certified-solutions-architect-associate-hands-on-labs/sections/section-4-elastic-load-balancing-and-auto-scaling-1hr-40m/lessons/section-4-introduction-3/ Elasticity - scaling up and out
- scalability add amount of resources
- elasticity means when not need can shrink
- Completed lab - 6 DNS - Auto Scaling and Load Balancing
![image](https://private-user-images.githubusercontent.com/27693622/248837912-0eba3035-2e38-4d9a-b55d-b807d1739b7d.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MDk2ODY5NTIsIm5iZiI6MTcwOTY4NjY1MiwicGF0aCI6Ii8yNzY5MzYyMi8yNDg4Mzc5MTItMGViYTMwMzUtMmUzOC00ZDlhLWI1NWQtYjgwN2QxNzM5YjdkLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDAzMDYlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwMzA2VDAwNTczMlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTZmNzZkOWFiMGE1Y2IzYTIwZmI5MDIyMjBkYTY3NjczNThlNzIzM2M5MmQ5M2NiM2QyM2YzYjM1ZmQ1ODM5OWEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.X0tWY7Sy0N4IJNN1-3bRFUF_oO0yCTTtxCkNQEynjbM)
SCPs don't grant permissions - they control which permissions are available for use.
- Deny List Strategy - FullAWSAccess scp attached to every ou and account - explicit deny overrides any allow
- Allow List Strategy - FullAWSAccess is removed from every OU and account
- We then have to add SCPs with allow statements to be added to very OU above it including the root
- Permission has to flow down from the root account
![image](https://private-user-images.githubusercontent.com/27693622/248842441-e45b049c-b8f7-43b3-9902-0007e61b47b8.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MDk2ODY5NTIsIm5iZiI6MTcwOTY4NjY1MiwicGF0aCI6Ii8yNzY5MzYyMi8yNDg4NDI0NDEtZTQ1YjA0OWMtYjhmNy00M2IzLTk5MDItMDAwN2U2MWI0N2I4LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDAzMDYlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwMzA2VDAwNTczMlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWVhZTI0NWFmYzRlZjgyNmNmMjYxZjEzNGZmY2ZmOWU5ZmZhNjI2MWU2ZTZmZTI3YzFmYWJiMzRlNjY0MjEzMmImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.gxv7T_IhAX05B_IwW2QPx5aKOQNhm4W1vyCxOnNp_Y8)
![image](https://private-user-images.githubusercontent.com/27693622/248842867-d1954cd7-8238-4301-a271-cd2a82e384a2.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MDk2ODY5NTIsIm5iZiI6MTcwOTY4NjY1MiwicGF0aCI6Ii8yNzY5MzYyMi8yNDg4NDI4NjctZDE5NTRjZDctODIzOC00MzAxLWEyNzEtY2QyYTgyZTM4NGEyLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDAzMDYlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwMzA2VDAwNTczMlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWNjMTA5NzU3MWVjZTdkODk3ZTZkOGI2ZWI0Y2I2NzYzNWUxZmUxY2E5NTBiOWFmNWVjNGNlNTdhMjk0MWI1ZWImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.Xz5tsury-J_gcXD4JFii20oHpY-GMK0kqgSld7NfVM8)
![image](https://private-user-images.githubusercontent.com/27693622/248844202-86bec26c-dbd4-43b9-a338-835e6af07c13.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MDk2ODY5NTIsIm5iZiI6MTcwOTY4NjY1MiwicGF0aCI6Ii8yNzY5MzYyMi8yNDg4NDQyMDItODZiZWMyNmMtZGJkNC00M2I5LWEzMzgtODM1ZTZhZjA3YzEzLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDAzMDYlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwMzA2VDAwNTczMlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTIzNmQ5OTZkZGIzODNiMTEwNzYzZGNkZTBlZmNmNDM2ZmQzMWE0NTI5ZGY4NzE5ZGUxMjNjM2JmMjg3ZGQzNTUmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.qrSXnO-GfUtIvJ9IR5-MbPAxThEn83f51WT-FDgyW_s)
![image](https://private-user-images.githubusercontent.com/27693622/248867635-ba0d0594-7899-4c90-8a9d-51cbe70590b3.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MDk2ODY5NTIsIm5iZiI6MTcwOTY4NjY1MiwicGF0aCI6Ii8yNzY5MzYyMi8yNDg4Njc2MzUtYmEwZDA1OTQtNzg5OS00YzkwLThhOWQtNTFjYmU3MDU5MGIzLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDAzMDYlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwMzA2VDAwNTczMlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTJlMWM4NGE5NjYyODMwNDg1YThlNWE1ZjVmM2Y5Yjk2OTJjMGU5OWEyZmVjMzA2YmUwN2I3NmZjYWVkZTI5YjYmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.iZ9A4uVS4htcxe1bd21Nd4Ey-1Xo2pUpt3nszWRJsxM)