LearningTree · AWS · Management

Other Management
Governance Services

Chapter One · Management

AWS Organizations — Multi-Account Management

AWS Organizations lets you centrally manage multiple AWS accounts under one umbrella. It provides consolidated billing, hierarchical account grouping (OUs), and Service Control Policies (SCPs) for governance at scale.

Why Multi-Account? Introductory

🔒

Security Isolation

Blast radius containment — if one account is compromised, others are isolated. Separate prod/dev/staging.

💰

Cost Visibility

Consolidated billing across all accounts. Tag-based cost allocation. Per-team or per-project billing.

📋

Governance

SCPs enforce guardrails. Different compliance requirements per OU (HIPAA, PCI, general).

Organization Structure Core

AWS Organizations — Account Hierarchy

Service Control Policies (SCPs) Core

SCP Feature	Details
What SCPs do	Set maximum permissions for accounts in the OU — they are guardrails, not grants
Effect	SCPs restrict what IAM policies can do. If SCP denies EC2, no IAM policy can override it.
Inheritance	SCPs cascade down: Root → OU → nested OU → Account. The effective policy is the intersection.
Management account	Never affected by SCPs — always has full permissions (don't use it for workloads!)
Root user	SCPs do affect the root user of member accounts (unlike IAM policies)
Default SCP	`FullAWSAccess` — attached by default. Removing it denies everything.

⚠️ SCPs Are Not Permissions

SCPs don't grant permissions — they set the ceiling. An account still needs IAM policies to actually allow actions. Think of SCPs as a filter: IAM says "you can do X", SCP says "but only within these boundaries".

Key Organization Features Core

💳

Consolidated Billing

Single payment method for all accounts
Volume discounts — aggregate usage across accounts (S3, EC2 RIs, Savings Plans)
Reserved Instance sharing across accounts in the org
Per-account cost breakdown in Cost Explorer

🔧

Delegated Administration

Avoid using management account for daily tasks
Delegate services: Config, GuardDuty, CloudTrail, Security Hub
Designated admin account manages on behalf of the org
Management account only for billing + org management

🎯 Exam Insight

"Prevent accounts from leaving organization" → SCP denying organizations:LeaveOrganization
"Restrict regions to eu-west-1 only" → SCP with aws:RequestedRegion condition
"SCPs affect root user?" → Yes! SCPs restrict root user of member accounts (not management account)
"Consolidated billing benefit?" → Volume discounts + RI sharing across accounts
"Management account in SCP scope?" → No — management account is NEVER affected by SCPs
"SCP deny vs IAM allow?" → SCP deny always wins — SCPs set the maximum boundary

Chapter 01 — Key Takeaway

Organizations provides multi-account management with OUs (hierarchical grouping), SCPs (maximum permission boundaries that cascade down), and consolidated billing (volume discounts + RI sharing). SCPs affect member account root users but never the management account. Use the management account only for billing — delegate service administration to a dedicated account.

Chapter Two · Management

AWS Control Tower — Automated Landing Zones

AWS Control Tower sets up and governs a secure, multi-account AWS environment (a landing zone) with best-practice guardrails. It orchestrates Organizations, IAM Identity Center, CloudTrail, Config, and more — so you don't have to wire them together manually.

What is a Landing Zone? Introductory

🏗️

Without Control Tower

Manually create each account
Manually set up CloudTrail, Config in each
Manually configure IAM Identity Center
Manually write SCPs
Manually enforce guardrails
Hours/days of setup per account

✅

With Control Tower

Account Factory provisions accounts in minutes
CloudTrail + Config auto-enabled
IAM Identity Center auto-configured
Guardrails (preventive + detective) pre-applied
Dashboard shows compliance across all accounts
Best-practice OU structure out of the box

Guardrails Core

Guardrail Type	Implementation	Example
Preventive	SCPs — block actions before they happen	Prevent disabling CloudTrail, prevent S3 public access
Detective	Config Rules — detect non-compliance after the fact	Detect unencrypted EBS volumes, detect MFA not enabled
Proactive	CloudFormation hooks — block non-compliant resources before creation	Block EC2 launch without required tags

Guardrail Behaviour	Meaning
Mandatory	Always enforced — cannot be disabled (e.g., disallow public S3 in log archive)
Strongly recommended	Best practice — can be opted out, but not advised
Elective	Optional — enable based on your specific needs

Account Factory Core

Account Factory is the self-service portal for provisioning new accounts that are automatically compliant:

🏭

What Account Factory Does

Creates new AWS account
Places it in the correct OU
Applies VPC baseline (configurable CIDR)
Enables CloudTrail, Config, SSO
Applies all active guardrails
Uses Service Catalog behind the scenes

⚡

Account Factory for Terraform (AFT)

Infrastructure-as-code account provisioning
GitOps workflow: commit → pipeline → account
Custom Terraform modules per account
Terraform state management included
For teams already using Terraform

Control Tower vs Organizations Core

Feature	Organizations Alone	Control Tower
Account creation	Manual or API	Account Factory (automated, compliant)
Guardrails	SCPs only (write yourself)	Pre-built preventive + detective + proactive
CloudTrail / Config	Manual setup per account	Auto-enabled in every account
SSO	Separate IAM Identity Center setup	Auto-configured
Compliance dashboard	Build yourself (Config Aggregator)	Built-in landing zone dashboard
Complexity	Full control, more effort	Opinionated, less effort

🧠 Decision Rule

Starting fresh? → Use Control Tower (best-practice defaults). Existing org with custom setup? → You can enable Control Tower on existing Organizations, but review compatibility. Need full flexibility? → Organizations alone, but you'll build guardrails manually.

🎯 Exam Insight

"Automated multi-account setup with best practices" → Control Tower
"Preventive guardrail" → SCP (blocks action)
"Detective guardrail" → Config Rule (detects after)
"Proactive guardrail" → CloudFormation hook (blocks before creation)
"Self-service account provisioning" → Account Factory
"Control Tower uses which services?" → Organizations, IAM Identity Center, CloudTrail, Config, Service Catalog, CloudFormation
"Mandatory guardrails" → Cannot be disabled, always enforced

Chapter 02 — Key Takeaway

Control Tower automates landing zone creation with pre-configured guardrails (preventive SCPs, detective Config Rules, proactive CloudFormation hooks). Account Factory provisions compliant accounts in minutes with automated CloudTrail, Config, and SSO setup. It builds on top of Organizations — adding automation, compliance dashboards, and best-practice defaults. Use it for new environments; existing orgs can adopt it incrementally.

Chapter Three · Management

AWS Trusted Advisor — Best-Practice Recommendations

AWS Trusted Advisor inspects your AWS environment and provides recommendations across five pillars: cost optimisation, performance, security, fault tolerance, and service limits. Think of it as an automated AWS Solutions Architect reviewing your account.

Five Pillars of Trusted Advisor Core

💰

Cost Optimisation

Idle EC2 instances (low utilisation)
Unassociated Elastic IPs
Underutilised EBS volumes
RI purchase recommendations

⚡

Performance

EC2 instances with high utilisation
CloudFront optimisation
Overutilised EBS (IOPS)
Content delivery improvements

🔐

Security

Open security groups (0.0.0.0/0)
IAM access key rotation
MFA on root account
S3 bucket permissions

🔄

Fault Tolerance

RDS Multi-AZ not enabled
EBS snapshots missing
Auto Scaling groups in single AZ
Route 53 health checks

📊

Service Limits

VPC limit approaching
EC2 On-Demand instance limits
EBS volume limits
IAM policy limits

Free vs Full Trusted Advisor Core

Feature	Basic / Developer	Business / Enterprise Support
Checks available	7 core checks	All 100+ checks
Security checks	S3 permissions, SG open ports, IAM use, MFA on root, EBS public snapshots, RDS public snapshots, Service Limits	All security checks + CloudTrail, IAM keys, etc.
Cost optimisation	Not available	Full cost analysis
Performance	Not available	Full performance checks
Fault tolerance	Not available	Full resilience checks
API access	No	Yes — `aws support describe-trusted-advisor-checks`
CloudWatch integration	No	Yes — metrics + EventBridge events
Programmatic refresh	No	Yes (every 5 min minimum)

💡 7 Free Checks (Always Available)

Even on Basic support: S3 Bucket Permissions, Security Groups — Unrestricted Access, IAM Use, MFA on Root Account, EBS Public Snapshots, RDS Public Snapshots, Service Limits. These 7 checks are free on every account.

Trusted Advisor + EventBridge In-Depth

With Business/Enterprise support, Trusted Advisor emits events to EventBridge when check status changes (OK → Warning → Error):

Alert pattern: TA check goes "Warning" → EventBridge → SNS → Slack alert
Remediation: TA detects open SG → EventBridge → Lambda → revoke 0.0.0.0/0 rule
Dashboard: TA findings → EventBridge → custom CloudWatch dashboard

🎯 Exam Insight

"Free security checks" → 7 core checks available on all accounts (Basic support)
"Full Trusted Advisor" → Requires Business or Enterprise support plan
"Cost optimisation recommendations" → Trusted Advisor (Business+) — checks for idle resources, underutilised instances
"Service limit warnings" → Trusted Advisor (Service Limits check — free)
"Automated response to TA findings" → EventBridge + Lambda (Business+ support only)
"TA vs Config" → TA = account-wide recommendations; Config = per-resource compliance rules

Chapter 03 — Key Takeaway

Trusted Advisor provides automated best-practice recommendations across cost, performance, security, fault tolerance, and service limits. 7 core checks are free on all accounts; full checks require Business or Enterprise support. With Business+, TA integrates with EventBridge for automated alerting and remediation. It's a read-only advisor — it recommends, it doesn't enforce.

Chapter Four · Management

AWS Cost Explorer & Budgets — Financial Visibility

Cost Explorer visualises and analyses your AWS spending over time. AWS Budgets sets thresholds and alerts when spending approaches or exceeds limits. Together they provide complete financial visibility and proactive cost control.

Cost Explorer Core

📊

What Cost Explorer Shows

Historical spend (up to 12 months back)
Forecast spend (up to 12 months ahead)
Filter by: service, account, region, tag, instance type
Group by: service, linked account, usage type
Daily or monthly granularity

🔍

Key Capabilities

RI/Savings Plan utilisation — are you using what you bought?
RI/Savings Plan coverage — how much usage is covered?
RI purchase recommendations — based on usage patterns
Cost anomaly detection — ML-based unusual spend alerts
API access for custom reporting

AWS Budgets Core

Budget Type	What It Tracks	Example
Cost budget	Dollar amount spending	Alert when monthly spend exceeds $5,000
Usage budget	Service usage (hours, GB, requests)	Alert when EC2 hours exceed 10,000
RI utilisation budget	Reserved Instance usage percentage	Alert when RI utilisation drops below 80%
Savings Plan utilisation	Savings Plan usage percentage	Alert when SP utilisation drops below 90%

Budget Actions In-Depth

Budget Actions allow automated responses when budget thresholds are breached:

📧

Notification Actions

Email alerts (up to 10 recipients)
SNS topic integration
Chatbot integration (Slack, Teams)
Thresholds: actual or forecasted (e.g., "alert at 80% of budget")

🛑

Enforcement Actions

Apply SCP — restrict account when budget exceeded
Apply IAM policy — deny resource creation
Target specific accounts or OUs
Can require approval before applying

Cost Anomaly Detection Core

AWS Cost Anomaly Detection uses ML to identify unusual spending patterns:

Creates a spending baseline from your history
Monitors by: account, service, cost category, or cost allocation tag
Alerts via SNS or email when anomalies detected
Shows root cause analysis (which service/region/usage type spiked)
No additional cost — included with Cost Explorer

Cost Explorer vs Budgets vs Trusted Advisor Core

Tool	Purpose	Nature
Cost Explorer	Visualise + analyse past/future spend	Retrospective + forecast
AWS Budgets	Set thresholds + get alerts + take actions	Proactive alerts + enforcement
Cost Anomaly Detection	ML-based unusual spending alerts	Automated detection
Trusted Advisor (Cost)	Specific cost savings recommendations	Advisory (idle instances, unattached EIPs)

Cost Allocation Tags In-Depth

🏷️

User-Defined Tags

Tags you create: Environment, Team, Project
Must be activated in Billing console
Appear in Cost Explorer after activation (24h delay)
Not retroactive — only track from activation date

🤖

AWS-Generated Tags

Prefix: aws: (e.g., aws:createdBy)
Auto-generated by AWS services
Must also be activated in Billing console
aws:createdBy shows who launched the resource

Pricing Core

Service	Cost
Cost Explorer	Free (console). API: $0.01 per paginated request.
AWS Budgets	First 2 budgets free. Each additional: $0.02/day (~$0.62/month)
Budget Actions	No additional cost
Cost Anomaly Detection	Free

🎯 Exam Insight

"Visualise spending trends" → Cost Explorer (filter by service, account, tag)
"Alert when spend exceeds threshold" → AWS Budgets (cost budget with SNS notification)
"Automatically restrict account when over budget" → Budget Actions (apply SCP or IAM policy)
"Detect abnormal spending patterns" → Cost Anomaly Detection (ML-based, free)
"Track costs per team" → Cost allocation tags (activate user-defined tags in Billing console)
"Forecast next month's spend" → Cost Explorer (12-month forecast)
"RI/Savings Plan underutilised" → Cost Explorer RI/SP utilisation report or RI utilisation budget
"Cost allocation tags not showing" → Tags must be activated in Billing console (24h delay)

Chapter 04 — Key Takeaway

Cost Explorer visualises historical and forecasted spend with flexible filters. AWS Budgets sets thresholds with alerts (email, SNS) and enforcement actions (apply SCPs/IAM policies when exceeded). Cost Anomaly Detection uses ML to flag unusual spending — free and automatic. Cost allocation tags must be activated in the Billing console to appear in Cost Explorer. First 2 budgets are free; Cost Explorer and Anomaly Detection are free.

 Management Governance — Complete Domain Summary Organizations — multi-account management with OUs, SCPs (maximum permission boundaries), consolidated billing with volume discounts and RI sharing. Management account is never affected by SCPs.
Control Tower — automated landing zone with guardrails (preventive SCPs, detective Config Rules, proactive CloudFormation hooks). Account Factory provisions compliant accounts in minutes.
Trusted Advisor — best-practice recommendations across 5 pillars (cost, performance, security, fault tolerance, limits). 7 free checks; full checks require Business/Enterprise support.
Cost Explorer — visualise/analyse spend (12 months back, 12 months forecast). Filter by service, account, region, tag. RI/SP utilisation reports.
AWS Budgets — set cost/usage thresholds with alerts and enforcement actions (apply SCPs/IAM policies). First 2 budgets free.
Cost Anomaly Detection — ML-based unusual spend detection. Free. Alerts via SNS/email with root cause analysis.
 