Summary
In this article, we explain Oakland University’s Department Integrated AWS account service, including setup, responsibilities, and support available from University Technology Services (UTS).
Body
Overview
The Department Managed AWS account service offering allows distributed IT departments to join the established AWS contract with our AWS vendor (DLT). The result is
- Special pricing discounts
- Separate billing invoice
- Managed by Department IT Staff
- Able to integrate with approved OU IT resources
- Requires Review for new use case implementations.
Service Details
The AWS account will be created by UTS, with some administrative permissions given to the lead technical contact, who can implement and maintain pre-approved solutions, as well as create additional IAM users and roles as needed. The department will handle billing. UTS will restrict access to certain tasks where controls are required and implement logging where deemed appropriate.
Account Owner's Responsibilities
Must:
- Designate a Purchasing officer who is responsible for paying the bill from department accounts.
- Designate an IT professional as a Lead Technical Contact
- Understand the lead technical contact is responsible for everything outlined in the AWS shared responsibility model.
- Your department is responsible for the maintenance, backup, disaster recovery, and security of its resources where AWS does not explicitly take responsibility
- Provide root and cross-account administrative access to UTS.
- Follow University policies, especially
- No HIPAA data in the cloud
- Follow data steward approval rules
- Adherence to policies 860 and 880
- Meet with UTS cloud engineer for consulting engagements
- Create and Maintain AWS IAM accounts
- Complete the required DTL forms and forward them to UTS@oakland.edu
- Lead Technical contact is responsible for preserving/providing data if a Preservation Request of the data occurs.
- Submit a review ticket when adding new capabilities to your account.
- Submit firewall requests using the ‘firewall change request - AWS” form from https://forms.oakland.edu for security group or NACL changes.
- Take action on UTS recommendations
- Mitigate and alert UTS to any identified risks or security incidents
- Follow technical guidance
Should
- Create a Blanket Purchase Order with purchasing
- Lead Technical contact should pursue the AWS Certified Cloud Practitioner Certification. This certification is a non-technical exam that provides a baseline for making decisions about AWS service offerings.
UTS Responsibilities
UTS is committed to sharing what expertise we have, to help
- Provide Guidance on getting good value out of your cloud utilization
- Ensure our Cloud use and processes are sustainable
- Act transparently and notify the lead technical contact (when possible) when taking action that impacts your account.
- Protect the universities interests
- Review and implement Firewall change requests.
- Create AWS account and IAM user for the technical lead with administrative access
- Restrict all department IAM accounts from modifying Security Groups or ACL’s.
Provided we have in house expertise we will
- Provide regular consulting engagements with each technical lead
- Review new use cases and determine if AWS is a good fit, provide architectural diagrams.
- Create policies and apply them to AWS accounts
- Design basic AWS architectural diagrams based on department requirements
- Provide recommendation for engagements specialized knowledge consulting (ex: computing or database optimization)
- Inform department of perceived risks
- Acknowledge and provide direction when we do not have expertise.
- Provide and maintain a list of technical guidelines
- The Cloud Engineer will aggregate and provide reports to the security team and leadership about data use, workloads, and process of Department integrated AWS accounts.
Reviewed Use Cases
Managed Database Service with Argos reporting
This relational database runs a PostgreSQL compatible instance in AWS that can integrate with our standard reporting tool Argos.
Must:
- Require at rest and in transit Encryption
- Configure automated snapshots for 1-month retention
- Use a Public IP address and a security group to restrict IP addresses that can access the database.
- An Argos integration request should include the public IP address, database name, Postgres user credentials (transmitted securely), and the port used (default is TCP:5432). Requests are submitted as a uts@oakland.edu ticket.
Example Cost:
A single zone availability midrange RDS instance with 500G will cost an estimated $95 a month with a 1-year term. This estimate includes compute, storage, standard backup, and data transfer rates.