AWS Solutions Architect Professional Study Notes

Multi-Account Strategies

Enterprise-scale AWS account organization and governance

AWS Organizations

Consolidated Billing: Single payment method for all accounts with combined usage discounts
Service Control Policies (SCPs): Guardrails that restrict permissions across accounts - deny overrides all allows
Organizational Units (OUs): Hierarchical grouping of accounts for policy application
All Features Mode: Required for SCPs, tag policies, and AI services opt-out policies

SCP Key Concept

SCPs are permission boundaries, not grants. They limit what IAM policies can allow. Even if IAM allows an action, if SCP denies it, the action is blocked. SCPs do NOT apply to the management account.

AWS Control Tower

Landing Zone

Pre-configured, secure multi-account environment based on AWS best practices with logging and security accounts

Guardrails

Preventive (SCPs) and Detective (AWS Config rules) controls. Mandatory, Strongly Recommended, and Elective categories

Account Factory

Automated account provisioning with pre-approved configurations. Uses Service Catalog under the hood

Dashboard

Single view of compliance status, guardrail violations, and account provisioning across the organization

Account Structure Best Practices

Account Type	Purpose	Key Services
Management	Organization root, billing, SCPs (minimal workloads)	Organizations, Billing, Cost Explorer
Log Archive	Centralized logging from all accounts	CloudTrail, Config, S3, CloudWatch Logs
Security/Audit	Security tooling and cross-account audit	Security Hub, GuardDuty, IAM Access Analyzer
Shared Services	Common infrastructure (AD, DNS, CI/CD)	Directory Service, Route 53, CodePipeline
Network	Transit Gateway, Direct Connect, VPN	Transit Gateway, Direct Connect, VPN
Sandbox	Experimentation with limited budget	Service Catalog, Budgets, Cost Controls
Workload (Dev/Prod)	Application environments	Application-specific services

Cross-Account Access Patterns

Secure access patterns between AWS accounts

IAM Role Assumption

AssumeRole: Primary method for cross-account access. Role in target account trusts principal from source account
External ID: Prevents confused deputy problem when third parties assume roles. Always use for external access
Session Policies: Further restrict assumed role permissions for specific sessions
Chained Roles: Maximum of 1 hour session when role assumes another role

Resource-Based Policies

Service	Resource Policy	Cross-Account Pattern
S3	Bucket Policy	Grant access to principals from other accounts
KMS	Key Policy	Allow external accounts to use CMKs
SNS/SQS	Access Policy	Allow cross-account publish/subscribe
Lambda	Resource Policy	Allow invocation from other accounts
Secrets Manager	Resource Policy	Share secrets across accounts
ECR	Repository Policy	Share container images across accounts

Identity vs Resource Policies

Identity-based: Attach to IAM users/roles - "what can this identity do?"

Resource-based: Attach to resources - "who can access this resource?" Cross-account access is often simpler with resource policies (no role assumption needed for some services)

AWS Resource Access Manager (RAM)

Purpose: Share AWS resources across accounts within or outside your organization
Shareable Resources: Transit Gateways, Subnets, License Manager configs, Route 53 Resolver rules, and more
Organization Sharing: Enable sharing within organization for automatic acceptance
Permissions: Shared resources retain original owner's permissions; participants get usage rights

Hybrid & Multi-Region Networking

Connecting on-premises and multi-region AWS environments

AWS Direct Connect

Dedicated Connection

1 Gbps, 10 Gbps, or 100 Gbps. Physical connection at Direct Connect location. Weeks to provision

Hosted Connection

50 Mbps to 10 Gbps through AWS Partner. Faster provisioning. Add/remove capacity on demand

Virtual Interfaces (VIFs)

Public VIF (AWS public services), Private VIF (VPC), Transit VIF (Transit Gateway)

Direct Connect Gateway

Connect Direct Connect to multiple VPCs across regions. Does NOT provide VPC-to-VPC routing

Direct Connect + VPN

For encrypted traffic over Direct Connect, use Site-to-Site VPN over Direct Connect public VIF. Direct Connect itself does NOT encrypt traffic in transit.

AWS Transit Gateway

Hub-and-Spoke: Regional router connecting VPCs, VPNs, Direct Connect, and SD-WAN
Route Tables: Multiple route tables for network segmentation. Control which attachments can communicate
Inter-Region Peering: Connect Transit Gateways across regions (encrypted, uses AWS backbone)
Multicast: Only AWS service supporting multicast. Useful for media streaming and financial data feeds
Network Manager: Global view of private network across AWS and on-premises

Connectivity Options Comparison

Option	Bandwidth	Latency	Encryption	Best For
Site-to-Site VPN	Up to 1.25 Gbps per tunnel	Variable (internet)	Yes (IPsec)	Quick setup, backup connection
Direct Connect	Up to 100 Gbps	Consistent, low	No (use VPN overlay)	Production workloads, large data transfer
VPC Peering	No limit (intra-region)	Lowest	Yes (in-transit)	Simple VPC-to-VPC, non-transitive
Transit Gateway	50 Gbps per attachment	Low	VPN attachments only	Complex multi-VPC, hybrid networks
PrivateLink	Endpoint bandwidth	Low	Yes	Private access to services

Enterprise Identity Federation

Integrating corporate identity with AWS

AWS IAM Identity Center (SSO)

Centralized Access: Single sign-on to all AWS accounts and business applications
Identity Sources: Built-in directory, Active Directory, or external IdP (Okta, Azure AD)
Permission Sets: Collections of IAM policies assigned to users/groups for specific accounts
Attribute-Based Access Control: Use user attributes from IdP for dynamic permissions

Federation Options

Method	Use Case	Token Duration	Key Points
IAM Identity Center	Workforce access to multiple accounts	Configurable	Preferred for organization-wide SSO
SAML 2.0 Federation	Enterprise IdP integration	Up to 12 hours	AssumeRoleWithSAML, console access
Web Identity Federation	Mobile/web apps, social login	Up to 12 hours	Cognito or direct (Google, Facebook)
Custom Identity Broker	Legacy systems, special requirements	Configurable	Your code calls STS AssumeRole
AWS Directory Service	Windows workloads, AD integration	N/A	Managed AD, AD Connector, Simple AD

Cognito for Applications

User Pools: User directory for sign-up/sign-in. Returns JWT tokens. Good for app authentication.

Identity Pools: Exchange tokens for temporary AWS credentials. Provides direct AWS service access.

AWS Directory Service Options

AWS Managed Microsoft AD

Full Microsoft AD, supports trusts with on-premises AD, MFA, Group Policy. Best for enterprise Windows workloads

AD Connector

Proxy to on-premises AD. No caching, no user storage in AWS. Best when you must keep all AD on-premises

Simple AD

Standalone Samba-based AD. No trust relationships. Best for small workloads, Linux admin access

AWS Solutions Architect Professional Study Notes

Multi-Account Strategies

Enterprise-scale AWS account organization and governance

AWS Organizations

Consolidated Billing: Single payment method for all accounts with combined usage discounts
Service Control Policies (SCPs): Guardrails that restrict permissions across accounts - deny overrides all allows
Organizational Units (OUs): Hierarchical grouping of accounts for policy application
All Features Mode: Required for SCPs, tag policies, and AI services opt-out policies

SCP Key Concept

SCPs are permission boundaries, not grants. They limit what IAM policies can allow. Even if IAM allows an action, if SCP denies it, the action is blocked. SCPs do NOT apply to the management account.

AWS Control Tower

Landing Zone

Pre-configured, secure multi-account environment based on AWS best practices with logging and security accounts

Guardrails

Preventive (SCPs) and Detective (AWS Config rules) controls. Mandatory, Strongly Recommended, and Elective categories

Account Factory

Automated account provisioning with pre-approved configurations. Uses Service Catalog under the hood

Dashboard

Single view of compliance status, guardrail violations, and account provisioning across the organization

Account Structure Best Practices

Account Type	Purpose	Key Services
Management	Organization root, billing, SCPs (minimal workloads)	Organizations, Billing, Cost Explorer
Log Archive	Centralized logging from all accounts	CloudTrail, Config, S3, CloudWatch Logs
Security/Audit	Security tooling and cross-account audit	Security Hub, GuardDuty, IAM Access Analyzer
Shared Services	Common infrastructure (AD, DNS, CI/CD)	Directory Service, Route 53, CodePipeline
Network	Transit Gateway, Direct Connect, VPN	Transit Gateway, Direct Connect, VPN
Sandbox	Experimentation with limited budget	Service Catalog, Budgets, Cost Controls
Workload (Dev/Prod)	Application environments	Application-specific services

Cross-Account Access Patterns

Secure access patterns between AWS accounts

IAM Role Assumption

AssumeRole: Primary method for cross-account access. Role in target account trusts principal from source account
External ID: Prevents confused deputy problem when third parties assume roles. Always use for external access
Session Policies: Further restrict assumed role permissions for specific sessions
Chained Roles: Maximum of 1 hour session when role assumes another role

Resource-Based Policies

Service	Resource Policy	Cross-Account Pattern
S3	Bucket Policy	Grant access to principals from other accounts
KMS	Key Policy	Allow external accounts to use CMKs
SNS/SQS	Access Policy	Allow cross-account publish/subscribe
Lambda	Resource Policy	Allow invocation from other accounts
Secrets Manager	Resource Policy	Share secrets across accounts
ECR	Repository Policy	Share container images across accounts

Identity vs Resource Policies

Identity-based: Attach to IAM users/roles - "what can this identity do?"

Resource-based: Attach to resources - "who can access this resource?" Cross-account access is often simpler with resource policies (no role assumption needed for some services)

AWS Resource Access Manager (RAM)

Purpose: Share AWS resources across accounts within or outside your organization
Shareable Resources: Transit Gateways, Subnets, License Manager configs, Route 53 Resolver rules, and more
Organization Sharing: Enable sharing within organization for automatic acceptance
Permissions: Shared resources retain original owner's permissions; participants get usage rights

Hybrid & Multi-Region Networking

Connecting on-premises and multi-region AWS environments

AWS Direct Connect

Dedicated Connection

1 Gbps, 10 Gbps, or 100 Gbps. Physical connection at Direct Connect location. Weeks to provision

Hosted Connection

50 Mbps to 10 Gbps through AWS Partner. Faster provisioning. Add/remove capacity on demand

Virtual Interfaces (VIFs)

Public VIF (AWS public services), Private VIF (VPC), Transit VIF (Transit Gateway)

Direct Connect Gateway

Connect Direct Connect to multiple VPCs across regions. Does NOT provide VPC-to-VPC routing

Direct Connect + VPN

For encrypted traffic over Direct Connect, use Site-to-Site VPN over Direct Connect public VIF. Direct Connect itself does NOT encrypt traffic in transit.

AWS Transit Gateway

Hub-and-Spoke: Regional router connecting VPCs, VPNs, Direct Connect, and SD-WAN
Route Tables: Multiple route tables for network segmentation. Control which attachments can communicate
Inter-Region Peering: Connect Transit Gateways across regions (encrypted, uses AWS backbone)
Multicast: Only AWS service supporting multicast. Useful for media streaming and financial data feeds
Network Manager: Global view of private network across AWS and on-premises

Connectivity Options Comparison

Option	Bandwidth	Latency	Encryption	Best For
Site-to-Site VPN	Up to 1.25 Gbps per tunnel	Variable (internet)	Yes (IPsec)	Quick setup, backup connection
Direct Connect	Up to 100 Gbps	Consistent, low	No (use VPN overlay)	Production workloads, large data transfer
VPC Peering	No limit (intra-region)	Lowest	Yes (in-transit)	Simple VPC-to-VPC, non-transitive
Transit Gateway	50 Gbps per attachment	Low	VPN attachments only	Complex multi-VPC, hybrid networks
PrivateLink	Endpoint bandwidth	Low	Yes	Private access to services

Enterprise Identity Federation

Integrating corporate identity with AWS

AWS IAM Identity Center (SSO)

Centralized Access: Single sign-on to all AWS accounts and business applications
Identity Sources: Built-in directory, Active Directory, or external IdP (Okta, Azure AD)
Permission Sets: Collections of IAM policies assigned to users/groups for specific accounts
Attribute-Based Access Control: Use user attributes from IdP for dynamic permissions

Federation Options

Method	Use Case	Token Duration	Key Points
IAM Identity Center	Workforce access to multiple accounts	Configurable	Preferred for organization-wide SSO
SAML 2.0 Federation	Enterprise IdP integration	Up to 12 hours	AssumeRoleWithSAML, console access
Web Identity Federation	Mobile/web apps, social login	Up to 12 hours	Cognito or direct (Google, Facebook)
Custom Identity Broker	Legacy systems, special requirements	Configurable	Your code calls STS AssumeRole
AWS Directory Service	Windows workloads, AD integration	N/A	Managed AD, AD Connector, Simple AD

Cognito for Applications

User Pools: User directory for sign-up/sign-in. Returns JWT tokens. Good for app authentication.

Identity Pools: Exchange tokens for temporary AWS credentials. Provides direct AWS service access.

AWS Directory Service Options

AWS Managed Microsoft AD

Full Microsoft AD, supports trusts with on-premises AD, MFA, Group Policy. Best for enterprise Windows workloads

AD Connector

Proxy to on-premises AD. No caching, no user storage in AWS. Best when you must keep all AD on-premises

Simple AD

Standalone Samba-based AD. No trust relationships. Best for small workloads, Linux admin access

Quick Feedback

AWS Solutions Architect Professional Study Notes

AWS Organizations

SCP Key Concept

AWS Control Tower

Landing Zone

Guardrails

Account Factory

Dashboard

Account Structure Best Practices

IAM Role Assumption

Resource-Based Policies

Identity vs Resource Policies

AWS Resource Access Manager (RAM)

AWS Direct Connect

Dedicated Connection

Hosted Connection

Virtual Interfaces (VIFs)

Direct Connect Gateway

Direct Connect + VPN

AWS Transit Gateway

Connectivity Options Comparison

AWS IAM Identity Center (SSO)

Federation Options

Cognito for Applications

AWS Directory Service Options

AWS Managed Microsoft AD

AD Connector

Simple AD

AWS Solutions Architect Professional Study Notes

AWS Organizations

SCP Key Concept

AWS Control Tower

Landing Zone

Guardrails

Account Factory

Dashboard

Account Structure Best Practices

IAM Role Assumption

Resource-Based Policies

Identity vs Resource Policies

AWS Resource Access Manager (RAM)

AWS Direct Connect

Dedicated Connection

Hosted Connection

Virtual Interfaces (VIFs)

Direct Connect Gateway

Direct Connect + VPN

AWS Transit Gateway

Connectivity Options Comparison

AWS IAM Identity Center (SSO)

Federation Options

Cognito for Applications

AWS Directory Service Options

AWS Managed Microsoft AD

AD Connector

Simple AD