Summary
This article outlines the Peered AWS account service offered by Oakland University, including setup, responsibilities for departments, and UTS support for isolated, grant-funded cloud environments.
Body
Overview
The Peered AWS account service offering allows academic departments or researchers with grants to join the established AWS contract with our AWS vendor (DLT). The department maintains a separate account and its AWS services are not able to interact with any other Oakland University (OU) IT systems (on-prem or in the cloud). The result is
- Special pricing discounts
- Separate billing invoice
- Enables the transfer of an existing personal AWS account to OU
- Great for isolated IT environments
Account Owner's Responsibilities
Must:
- Designate a Purchasing officer who is responsible for paying the bill from department accounts.
- Designate a Lead Technical contact
- Understand the lead technical contact is responsible for everything outlined in the AWS shared responsibility model.
- Your department is responsible for the maintenance, backup, disaster recovery, and security of its resources where AWS does not explicitly take responsibility
- Provide cross-account administrative access to UTS, to be used only in predefined situations.
- Follow university policies, especially
- No HIPAA data in the cloud
- Follow data steward approval rules
- Adherence to policies 860 and 880
- Be willing to meet with UTS cloud engineer for consulting engagements
- Create and Maintain AWS IAM accounts
- Complete the required DTL forms and forward them to UTS@oakland.edu
- Lead Technical contact is responsible for preserving/providing data if a Preservation Request of the data occurs.
Should
- Take action on UTS recommendations
- Create a Blanket Purchase Order with purchasing
- Mitigate and alert UTS to any identified risks or security incidents
- Lead Technical contact should pursue the AWS certified Cloud Practitioner Certification. This certification is a non-technical exam that provides a baseline for making decisions about AWS service offerings.
- Follow technical guidance
- Be transparent about the types of data and work being done
- Consult with and obtain approval from the Research Office if applicable
UTS Responsibilities
UTS is committed to sharing what expertise we have, to help
- Ensure you are getting good value out of your cloud utilization
- Ensure our Cloud use and processes are sustainable
- Act transparently and notify the lead technical contact (when possible) when taking action that impacts your peered account.
- Protect the universities interests
Provided we have in house expertise we will
- Provide regular consulting engagements with each technical lead
- Create policies and apply them to peered AWS accounts
- Provide proof of concepts
- Design basic AWS architectural diagrams based on department requirements
- Provide recommendation for engagements specialized knowledge consulting (ex: computing or database optimization)
- Inform department of perceived risks
- Acknowledge and provide direction when we do not have expertise.
- Provide and maintain a list of technical guidelines
- Cloud engineer will aggregate and provide reports to the security team and leadership about data use, workloads, and process of Peered AWS accounts.
Technical General Use Guidelines
These guidelines should be thought of a good set of items to consider. If for a technical reason they don’t apply, that is great. But they also act as some reasonable defaults for most Oakland University Cloud users.
- Use 1 VPC per account
- Request and use recommend IP address ranges for private IP spaces - this ensures that we can integrate your VPC if needed in the future.
- Use Oakland University Email addresses for IAM accounts - This may help if an account is compromised.
- Use the Ohio region - it has the lowest latency and best or near best pricing.
- Use CloudFormation templates provide by UTS to stand up a new environment.
- Utilize free AWS Basic Support
- Run and evaluate AWS Trusted Advisor reports to help follow best practices
Guidelines for UTS use of the administrative account
- Read-only access (no changes) for necessary auditing and in preparation of consulting engagements.
- In response to a security incident
- To apply policies to your account
- If a resource in an account is believed to be impacting Oakland University IT resources.