I encounter this question when doing practice exam, anybody know what’s the best answer?
Each development team at a company has their own non-production AWS accounts in AWS Organizations. In each of those accounts, Developers has IAM users in developer IAM groups who grant administrative and cost permissions to their users. Each development team has a budget they routinely exceed. Finance has asked that constraints be placed on the development team to address the spending problems. IT is adamant that any new control should not limit the Developers’ abilities to innovate and experiment.
Which scenario will satisfy both Finance and IT?
a. In the master account, create a budget using AWS Budgets for each linked development account. When a forecasted budget reaches 100% of the monthly budget, publish to an SNS topic. Subscribe an AWS Lambda function to the topic that adds a policy to the developer IAM group that denies launching new infrastructure.
b. In the master account, create a budget using AWS Budgets for each linked development account. When a forecasted budget reaches 100% of the monthly budget, publish to an SNS topic. Subscribe an AWS Lambda function to the topic that creates a new SCP for the account that denies launching new infrastructure.
c. In each development account, create a budget using AWS Budgets. When a forecasted budget reaches 100% of the monthly budget, publish to an SNS topic. Subscribe an AWS Lambda function to the topic that adds a policy to the developer IAM group that denies launching new infrastructure.
d. In each development account, create a budget using AWS Budgets. When a forecasted budget reaches 100% of the monthly budget, publish to an SNS topic. Subscribe an AWS Lambda function to the topic that new SCP for the account that denies launching new infrastructure.
I am leaning towards A since creating budget in master account is easier operationally for all development accounts. And adding policy to the developer IAM group is less limiting than putting a deny SCP policy in the whole account.
Let me know your thoughts.
1 Answers
Hi,
I only have a comment to make, but still chose to answer this to keep this on the top of the pile (as I would like to know the answer too)
(It seems that there is one option missing above as c and d are the same.)
Anyways, I was thinking that option A may not be the right answer, as we are talking about modifying IAM policies of users / groups in all the linked accounts. If the action was just modifying some IAM policy on the master account, A may have made sense. I don’t know if there is a way to dynamically switch roles to each of the linked accounts to modify user / group policies in all those accounts.
Option B looks good to me – if the question was to manage an organization-wide budget for the entire development team. This would have been an ideal option as I can apply SCPs to my linked accounts in my organizations.
But the question says "Each development team has a budget" and "Each development team at a company has their own non-production AWS accounts". So I am going with option C, as these budgets can be individually managed by these accounts and an IAM policy can be applied locally to each account.
Latest Edit:
I found a two-part series of posts that talk about Centralized Vs Decentralized Budgeting to support my answer choice above. (The posts talk about the relatively newer feature of auto-action (which gives you a choice of setting IAM policies or SCPs without having to invoke a Lambda function, but nevertheless the same). When I first looked at the options, I liked none of them, as there was no way of revoking these policies automatically – I am glad that the posts mention this too. The link to the second part is here – the link to the first part is in the post:
https://aws.amazon.com/blogs/mt/manage-cost-overruns-part-2/
Thanks Apradana for posting this – it was interesting and I learned more.
Thanks for the highlight, I have modified answer D.
I wonder, whether the lambda function can modify IAM policy in another account maybe? That’s why I answered A.
Just added an edit with a link.
Actually I came across that link as well. But not sure if that suits the scenario here (though similar)