Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID


5 Key Considerations for Adopting Amazon Web Services

Jul 07, 2016, by Sara Jeanes
Tags: Amazon Web Services, Frontpage News, Infrastructure & Platform Services, Internet2 NET+

After a full year of availability and nearly 50 campuses subscribing to the NET+ Amazon Web Services offering, several considerations for adopting AWS have come about that other institutions may find helpful. 

1.    Aggregated billing and detailed reporting

In order to effectively manage AWS usage across the institution, transparency of that usage through detailed reporting and aggregated billing is a must. The NET+ AWS by DLT program facilitates an understanding of the campus AWS usage. An AWS account can act as a billing boundary when deploying AWS accounts and while a Purchase Order can be applied to multiple accounts, the reverse is not true. Multiple Purchase Orders cannot be applied to a single account.  A Purchasing Card can be used to pay for usage on an AWS account. Each of these methods of workload aggregation lend a different flavor to the implementation of NET+ AWS by DLT. These will be explored further in the next blog post.

2.    Architecting within Accounts

Several architectural considerations should be made in advance—as a single AWS account used for a number of use cases will internally require a more complex network design. Considerations will need to be made for VPC creation, subnetting, routing within the account, Security Groups, VPC Peering and routing between the AWS account and campus. 

If multiple AWS accounts are deployed, the internal design of an account will be simplified but coordination among accounts will need to be maintained, especially if they are expected to communicate back to campus or amongst AWS accounts.

3.    Security

A single account provides a single location for auditing, logging, and monitoring to be configured and policy to be enforced. With multiple accounts, this work is multiplied by each new account provisioned. Some of the pain of managing and monitoring a sprawling number of accounts can be alleviated by leveraging Cloud Formation templates and IAM Policy Documents for each of these new accounts. 

Security professionals can be provisioned with read-only access to each account, and the S3 directory where logs and audits are written can be protected from tampering. In implementing any topology, it is important to ensure that an individual with permission to take an action cannot also delete the logs associated with that action.

4.    Identity Management

Campus Single Sign On needs are important to consider when deploying accounts. An individual requesting an AWS account will be granted root permission to that account. While it is always best practice to immediately provision an administrative IAM user and role and discontinue using the root user, this is a potential vulnerability that can be exploited. 

AWS accounts can be configured to leverage a campus Identity Provider for credentialing and Single Sign On. This does not eliminate the need to manage IAM policy and groups but it does eliminate the need to perform account provisioning. Instructions on how to integrate a Shiboleth IdP to an AWS account can be found here.

5.    Campus Management Style

Likely the biggest consideration on deploying AWS accounts is the structure of your campus IT organization. If Campus IT is highly centralized, it is more likely able to maintain a disciplined approach to AWS account provisioning and resource management. The application of tags on resources can be enforced by policy and the organization is likely to have a central planning team for account architecture and design. 

In a more decentralized campus IT environment, the staff are likely used to working in a more segmented environment and may be more comfortable with each department IT team in their own AWS account. It is still recommended each account have visibility and oversight from the campus security office.

There are a number of ways and methods to addressing the above questions. As a technical compromise, management resources can be provisioned into a single AWS account including DNS and the campus Identity Provider. Systems delivering campus facing functionality that have these core services as dependencies can then be provisioned into their own AWS accounts, or be logically grouped into a small number of accounts.

It is also highly recommended that a campus cloud coordination team be established. Not only will this team be responsible for technical and architectural coordination, it should also provide a venue to communicate and socialize the campus’ approach deploying Amazon Web Services and other cloud technologies.

Get Regular Cloud Strategies and NET+ News!
Sign up now to receive regular updates and resources on leading Cloud services that are easing the challenges, costs, and risks of Cloud migration for research and education.