문제

질문 1: A company is using AWS Organizations to manage their multi-account and multi-region AWS infrastructure. They are currently doing large-scale automation for their key daily processes to save costs. One of these key processes is sharing specified AWS resources, which an organizational account owns, with other AWS accounts of the company using AWS RAM. There is already an existing service which was previously managed by a separate organization account moderator, who also maintained the specific configuration details.

In this scenario, what could be a simple and effective solution that would allow the service to perform its tasks on the organization accounts on the moderator’s behalf?

A)Use trusted access by running the enable-sharing-with-aws-organization command in the AWS RAM CLI. Mirror the configuration changes that was performed by the account that previously managed this service.

B)Enable cross-account access with AWS Organizations in the Resource Access Manager Console. Mirror the configuration changes that was performed by the account that previously managed this service.

C)Attach an IAM role on the service detailing all the allowed actions that it will be able to perform. Install an SSM agent in each of the worker VMs. Use AWS Systems Manager to build automation workflows that involve the daily key processes.

D)Configure a service-linked role for AWS RAM and modify the permissions policy to specify what the role can and cannot do. Lastly, modify the trust policy of the role so that other processes can utilize AWS RAM.

풀이 및 공부

RAM 이란?

AWS RAM을 사용하면 지원되는 리소스 유형에 대해 AWS 계정 전체에서, 조직 또는 조직 단위(OU) 내에서 IAM 역할 및 사용자와 안전하게 리소스를 공유할 수 있는 서비스이다.

다른 계정에게 내 Resource를 공유할 수 있는 설정이다. enable 시켜주면 이제 resource share 기능을 사용할 수 있다.

Create 해보자

Private Subnet 하나를 공유해보자

Allow external accounts에 체크하면 organization이 아닌 계정에도 권한을 줄 수 있다고 한다.

다른 계정으로 들어와서 Shared resources 를 클릭하면 방금 설정한 공유 resource를 볼 수 있다.

RAM을 통해 다른 계정의 subnet 도 사용할 수 있게 되었다.

A번

A)Use trusted access by running the enable-sharing-with-aws-organization command in the AWS RAM CLI. Mirror the configuration changes that was performed by the account that previously managed this service.

CLI로 하라는건데, 사실 AWS 콘솔에서 해도 된다. 위에서 서비스를 소개하며 체크했던 항목이랑 사실 같은 것이다.

Truested Access 라는 용어가 나오는데 참고로 Enable sharing within your AWS Organization을 체크 후 save하면 AWS Organizations 에서 RAM Service의 Truested access가 활성화 된 것을 볼 수 있다.

D번

D)Configure a service-linked role for AWS RAM and modify the permissions policy to specify what the role can and cannot do. Lastly, modify the trust policy of the role so that other processes can utilize AWS RAM.

service-linked role 이라는 용어가 무엇인지 알아보자.

A service-linked role is a unique type of IAM role that is linked directly to an AWS service. Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf.

참고로 A번 정답의 커맨드를 입력하면 이렇게 생긴 service-linked role도 생성된다.

the trust policy of a service-linked role cannot be modified

라고한다.

클릭해서 들어가보자

왼쪽이 클릭해서 들어간 service-linked role이고 오른쪽은 그냥 role

service-linked role은 permission add할 수 있는 버튼이 안보인다.

추가 정보

참고

• service-linked role