This lab is currently in Beta, content may be updated as we refine the material
LABADVANCED

Simulated Multi-Account Governance

Model AWS Organizations governance patterns (SCPs, permission boundaries, delegated administrators) inside a single AWS account using named IAM roles, CloudFormation guardrails, and scenario-based verification.

60 minutes
aws/devops
Simulated Multi-Account Governance - Platform Engineering Hands-On Lab Icon

Lab Overview

Real multi-account strategies rely on AWS Organizations SCPs, OU hierarchies, and delegated administrator services. But you cannot spin up an Organization in a lab account. Instead, this lab simulates the essential governance patterns using IAM roles, permission boundaries, CloudFormation guardrail templates, and delegated-administrator role modeling -- all inside a single account.

You will:

  • Create 3 IAM roles representing different OU personas (SecurityAuditRole, DevOpsAdminRole, ReadOnlyViewerRole) with appropriate managed policies and trust relationships
  • Author and attach a permission boundary that simulates an SCP: restrict EC2 instance types, deny IAM privilege escalation, deny S3 bucket deletion without MFA
  • Deploy a CloudFormation guardrail template that encodes infrastructure-as-governance (S3 bucket policy requiring SSE-S3 encryption)
  • Configure the delegated administrator pattern with a role trusted by an AWS service and a CloudTrail trail delivering to a governance S3 bucket
  • Run scenario-based verification checks and write findings to a governance report

Every resource is tagged lab=true, Course=dop-c02. Name suffixes use $RANDOM for uniqueness.

What You'll Learn

Design IAM roles that model AWS Organizations OU personas with appropriate trust policies and managed permissions

Author and attach a permission boundary that simulates SCP-style guardrails (instance type limits, privilege escalation denial, deletion protection)

Deploy a CloudFormation template that encodes infrastructure guardrails as governance-as-code

Configure a delegated administrator IAM role with service-specific trust and validate the delegation pattern

Run systematic AWS CLI verification checks to audit governance controls and produce a compliance report

Prerequisites

basic-aws-cli-familiarity

aws-associate-level-knowledge

completed-aws-devops-cli-operations-baseline-lab

completed-iam-least-privilege-boundary-lab

Technologies Covered

awsorganizationsgovernancescppermission-boundarycloudformationdelegated-administratorcloudtraildop-c02security

Part of a Course

This lab is part of the AWS Certified DevOps Engineer - Professional (DOP-C02) course

View All Courses

Choose your plan

Simple, Transparent Pricing

Unlock full access to TeKanAid courses, labs, and bootcamps

MonthlyQuarterly

Pro

Course content without labs

$59/month

Renews automatically. Cancel anytime.

Final price verified at checkout.

  • Full access to all courses
  • Progress tracking
  • Certificate of completion
  • Community access
  • Bootcamp participation
  • New content access
Recommended

Premium

Full access with hands-on labs

$99/month

Renews automatically. Cancel anytime.

Final price verified at checkout.

  • Everything in Pro
  • Unlimited hands-on labs
  • Lab AI Assistant
  • Accelerator bootcamps with live office hours
  • Priority support
Get Access Now

Prefer a single course?

Purchase individual courses for a one-time fee of $79. Full access to course content, quizzes, certificates, and community features, lab access is not included.

Browse Courses

Try it free, no credit card

Three free ways to start. All bridge into the paid Premium catalog when you're ready.

▶ Start with free courses and labs🧩 Solve your first free puzzle📧 Get the free 7-day crash course

Not ready to commit? The crash course is email-only. No academy account required.

Ready to Get Started?

Start this hands-on lab and build real-world Platform Engineering skills

Get Access Now