The cost of cloud computing is one that every business will want to evaluate before choosing to migrate traditional Infrastructure services to Amazon AWS.  One the primary objectives of AWS Certified Solutions Architect –Professional Exam is to demonstrate an understanding of costing and identify areas where business can be effective managing costs and gain better ROIs.  Costing accounts for 5% of the exam and if you understand it well, you can easily gain marks that will help you in passing the exam.

The following are the core areas of AWS costing you need to be aware of:

  • Demonstrate ability to make architectural decisions that minimize and optimize infrastructure cost
  • Apply the appropriate AWS account and billing set-up options based on scenario
  • Ability to compare and contrast the cost implications of different architectures

AWS Organizations

AWS Organizations enables you to consolidate multiple AWS Account into a single organization and centrally manage these accounts.  This allows you to centrally manage multiple accounts using global policies and permissions.  You can also use it to consolidate billing and account management functions and thus manage budgets, security and compliance much more effectively for your business.  AWS Organizations also enable you to maximize on volume discounts available on AWS.

Key Features:

  • Centralized management of all of your AWS accounts
    • Create accounts that are automatically part of the Organization or invite other accounts to be part of the Organization
  • Centralized management of all of your AWS accounts using a Master account. The master account has the responsibilities of a payer accountand is responsible for paying all charges that are accrued by the member accounts
    • Invitation – This is the process of asking another account to join an AWS Organization account that you set up. You need the account ID or the email address that is associated with the invited account.  Note: Invitations also can be sent to all current member accounts when the organization needs all members to approve the change from supporting only consolidated billing features to supporting all features in the organization
    • Handshake – This is the underlying implementation of an Invitation. Handshake messages are passed between and responded to by the initiator and the recipient to ensure both parties know the stations.  Handshakes are also used from updating from a consolidating billing only feature to an all features Organization setup
    • Available Features
      • Consolidated Billing – This is where you receive a simple bill for all members to the Payer account. Invitations also can be sent to all current member accounts when the organization needs all members to approve the change from supporting only consolidated billing features to supporting all features in the organization
      • All Features – includes consolidated billing, plus it provides advanced features that give you more control over accounts in your organization. The master account can apply SCPsto restrict the services and actions that users (including the root user) and roles in an account can access, and can prevent member accounts from leaving the organization.
      • Service Control Policy (SCP) –  filtersthat allow only the specified services and actions to be used in affected accounts. Even if a user is granted full administrator permissions with an IAM permission policy, any access that is not explicitly allowed or that is explicitly denied by the SCPs affecting that account is blocked.
        • You can attach an SCP to the following:
          • A root, which affects all accounts in the organization
          • An OU, which affects all accounts in that OU and all accounts in any OUs in that OU subtree
          • An individual account

Important – The master account of the organization is not affected by any SCPs that are attached either to it or to any root or OU the master account might be in.

  • Hierarchical grouping of your accounts to meet your budgetary, security, or compliance needs
    • Create Organization Units or OUs
    • Group accounts into OUs
    • Attach policies to OUs to allow or deny access to different AWS recourses
    • Nest OUs within other OUs up to 5 levels deep
  • Control over the AWS services and API actions that each account can access
    • Restrict which AWS services and individual API actions users and roles in each member account can access. Note that Organization permissions overrule account permissions include rules defined by administrators of a member account
  • Integration and support for AWS Identity and Access Management (IAM)
    • IAM can be used to control permissions and policies by defining roles at the account level. Organization further gives you control at the account level over what users and roles in an account or a group of accounts can do.  Thus, users can access only what is allowed by both the Organizations policies and IAM policies. If either blocks an operation, the user can’t access that operation
  • Integration with other AWS services
    • AWS Organizations enables you to select AWS Services to perform tasks on your behalf in your organization’s member accounts. Organizations uses an IAM role called a service-linked role to achieve this capability.  Key Points to note:
      • Service-Linked roles have redefined IAM permissions to enable other services to perform specific tasks. As such, the roles or its attached policies cannot be altered
      • The role provisioned when you create a new member account or invite an existing account to join is the AWSServiceRoleForOrganizations This role ensures that Organization can then create service-linked roles for other AWS services
      • Enabling ‘All Features’ – You can choose to create an organization for ‘consolidated billing features’ only or for ‘all features’.
        • For accounts invited to join an organization – when the administrator agrees to the request to enable all features, AWS Organization creates a service linked role automatically if one doesn’t already exist. Note the Administrator must have both the organization:AcceptHandsake and iam:CreateServiceLinkedRole permission to agree to the request.  If the AWSServiceRoleForOrganizations already exist, then the administrator of the account being invited only needs the organization:AcceptHandshake permission
        • For accounts created in the organization – the account administrator will receive a request to re-create the service-linked role. Note the member account administrator will not receive request to enable all features in this case, because the master account administrator is considered the owner of the member accounts as well.  The administrator must have both organization:AcceptHandshake and the iam:CreateServiceLinkedRole permissions to accept the handshake
    • Data replication that is eventually consistent
      • Organizations achieves high availability by replicating data across multiple servers in AWS data centres within its region. Changes must be replicated across the multiple servers and thus eventual consistency is offered with AWS Organizations.


Consolidated Billing

You can use the consolidated billing feature in AWS Organizations to consolidate payment for multiple AWS accounts.  You get a full itemized listing of charges incurred against each member account and the total due to the master payer account. Remember that Consolidated billing is offered at no additional charge.

Previous before the availability of the AWS Organizations services, Amazon offered consolidated billing under the billing & cost management console service.  When you used consolidated billing on the Billing and Cost Management console, you had one account that was designated as a payer account. The payer account paid the charges that were accrued by all the other accounts, known as linked accounts, in your consolidated billing family. With AWS Organizations, each organization has one account, called a master account, that pays the charges of all the member accounts in that organization. The member accounts are linked to the master account for billing purposes, just like the linked accounts in consolidated billing were linked to a payer account.

Consolidated billing has the following benefits:

  • One Bill – You get one bill for multiple accounts.
  • Easy Tracking – You can easily track each account’s charges and download the cost data in CSV format.
  • Combined Usage – If you have multiple accounts, your charges might decrease because AWS combines usage from all accounts in the organization to qualify you for volume pricing discounts.

Important Tip – The owner of the master account in an organization should secure the account by using AWS Multi-Factor Authentication and a strong password that has a minimum of eight characters with both uppercase and lowercase letters, at least one digit, and at least one special character.

Exam Tips

  • Current limit on number of Accounts you can consolidate under one account is 20. This is a soft limit
  • Paying Account should be used for payment management only
  • Billing account created on the paying account will be applied to all linked accounts
  • Note that CloudTrail is on per AWS Account and per region. However, you can consolidate logs to a central S3 bucket.  To do this:
    • Turn on CloudTrail on paying account
    • Create bucket policy to allow cross account access
    • Turn on CloudTrail in other accounts and use the bucket in the paying account

AWS Certification – 600 Practice Exam Questions – Get Prepared for your Exam Day!

Our AWS Exam Simulator with 600 practice exam questions comes with comprehensive explanations that will help you prepare for one of the most sought-after IT Certifications of the year.  Register Today and start preparing for your AWS Certification.