Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID


4 Methods of Amazon Web Services Adoption

Aug 09, 2016, by Sara Jeanes
Tags: Amazon Web Services, Frontpage News, Internet2 NET+

After addressing the 5 key considerations for adopting Amazon Web Services, it may be helpful to consider the four deployment methods that have been facilitated for campuses subscribing to NET+ Amazon Web Services by DLT.

  1. Self Service Account Provisioning

    A self-service Portal that is configured to accept credentials from a federated Identity Provider in the InCommon Federation is included when subscribing to NET+ AWS by DLT. Subscribing campuses can use this Portal to selectively grant permission to create a new and transfer an existing AWS account. Custom workflows can be used within Grouper or another group manager to apply attributes to faculty and staff accounts permitting them to request and manage their own AWS account request process. AWS Service Owners can review activity for their own campus through the Portal as well.

    In this scenario, the AWS account acts as a very strong boundary separator. A Purchase Order or Purchase Card can be used to pay for each account. The researcher or principal investigator is able to control the account as they would like. This method is likely to encourage facility and staff who have existing AWS accounts to transfer them under the NET+ AWS by DLT program.
  2. A Limited Number of Accounts

    Some campus subscribers chose to deploy a very limited number of AWS accounts. These institutions tend to already have a very regimented process in place. They take a disciplined approach and architect a small number of accounts to closely mirror their current campus IT infrastructure needs.

    This method typically requires a heavy reliance on a number of capabilities offered by Amazon Web Services. Tagging a resources is used to track the metadata of the environment. While not every asset can be tagged, the vast majority of items that are billed on an account can have a number of arbitrary tags applied. These should include Owner, Role, Service and Stage (dev/test/prod) at a minimum. Institutions using this method also tend to separate their development and test environments into separate accounts, away from their production services. In these accounts, heavy use of policy enforcement, scripted deployments, and defined operational methodologies is a must. Rugged DevOps can be used to codify some of these practices.
  3. Business Process Controlled

    This method uses a hybrid of the two above processes to provide a less effort-intensive account provisioning process, while leveraging the expertise already on campus.

    An Amazon Web Services account can be looked at as just another technology resource that can be procured by faculty and staff on campus. Instead, going directly to the Service Provider, the service is selected from a campus Service Catalog. This selection is backed by the campus business process that enforces role requirements, approval workflows, and cost coding depending on the individual’s purchasing authority. It allows the faculty and staff member to use a familiar workflow while still providing organizational oversight and purchasing policy enforcement to the account request.
  4. Account Pre-provision

    On some campuses, it is easier to pre-provision resources before making them available to eligible individuals. Campuses can choose to request a number of accounts earmarked for a specific purpose and then provide credentials to designated individuals as need for the account arises. This is especially useful for well-defined research projects. Accounts can be requested and configured by a designated individual from within Campus IT. Once an account is provisioned and configured, it does not incur a cost until there are compute resources deployed within it. The account can then be handed over to the Office of the Vice President for Research for dissemination and can remain idle but ready for use until it is needed.

    These are a few ways the Internet2 community has chosen to deploy AWS accounts on an enterprise scale with the NET+ AWS by DLT program. If you have other ways you are managing this process on your campus, let me know at, so other community members can learn from you and provide the best fit for their institution.

Get Regular Cloud Strategies and NET+ News!
Sign up now to receive regular updates and resources on leading Cloud services that are easing the challenges, costs, and risks of Cloud migration for research and education.