AWS accounts used for any Stanford-related work, including both development efforts and deployment of production-ready solutions, must be part of the University IT AWS Organization per Stanford’s minimum security requirements.
If you already have an AWS account for Stanford-related purposes, but it is not part of the UIT AWS Organization, here are the benefits you will enjoy and steps to take to join the university’s enterprise account.
Benefits of the enterprise account
Joining the UIT AWS Organization offers some real benefits while also helping the university secure Stanford data.
- Your account will enjoy immediate cost savings relating to data egress charges and will automatically benefit from any additional negotiated discounts between Stanford and AWS.
- You can use your organization’s PTA for automatic monthly billing by UIT instead of a department Pcard or personal credit card. Note: any remaining credits from the AWS Free Tier will conclude once billing is handled centrally.
- Our university’s enterprise agreement provides improved terms and conditions, including account survivorship in case of department staffing disruptions.
- You’ll find easier integration with campus infrastructure, including directory services that allow you to use your Stanford account and workgroup membership to manage access to the account and its resources.
Joining under the university’s enterprise account will not disrupt your currently deployed cloud technologies, limit your efforts, reduce your level of access, or compromise your privacy.
Steps to join UIT’s AWS Organization
- Submit a request to start the process of joining the UIT AWS Organization. In the ServiceNow form, mention that you’re intending to join the UIT AWS Organization.
- Look for an email invitation to join the UIT AWS Organization. It will come from Amazon using the email address: firstname.lastname@example.org with the subject line “Your AWS account has been invited to join an AWS organization.”
- Log into your existing AWS account using the same Stanford email address currently associated with your account, which will give you root capabilities.
- Click on the link provided in the email from Amazon, which will open the AWS Organization page in the administrative console.
- Click on the invitation to accept. Your account will now be a part of the UIT AWS Organization.
Note: You will never be asked to disclose any usernames or passwords.
Questions & Answers
- Will there be any interruptions to any deployed solutions? Any reboots or outages?
- No, this change primarily affects billing. Joining the UIT AWS Organization will not affect the technologies configured or running in your account. There is no need to schedule downtime or plan for any disruptions; it will happen transparently in the backend.
- Will anyone log into my AWS account? What will they be doing?
Once your account becomes part of the UIT AWS Organization, our cloud operations team will give a cursory review of the deployed technologies through the AWS web administration console to ensure current and future account policies will not conflict with your deployed technologies. For example, if your AWS account uses regions located in a high-risk country, we will need to accommodate this before applying any Stanford-wide policies that prohibit using non-US regions.
- Will anyone log into my servers, databases or review data in any storage buckets?
No, no one one will access your systems.
- Why does UIT want standalone accounts to be part of the UIT AWS Organization?
It helps the University aggregate the financial commitments made with the different cloud vendors, helping to influence the total available discount offered to all of Stanford. It also helps automate cloud security by giving visibility in the account configuration to detect and prevent information disclosure.
- What if I’m not really using my AWS account?
Now would be a good time to do some housekeeping. By closing your AWS account, you eliminate the possibility that it gets hacked or exploited; it will also prevent any unwelcome billing surprises and eliminates the risk to the University.
- My AWS account is only to explore Amazon Web Services and learn more about the cloud. Do I still need to join the UIT AWS Organization?
If the account is simply for personal work or professional skills development, we ask that you change the email address of the root account holder to something personal, like an Outlook.com or Gmail address. The root account address is the Stanford email address you used when signing up for AWS. There are instructions to change your email address online.
- Will this affect the terms and conditions of the standalone account?
Yes, when you join the UIT AWS Organization, you will be agreeing to new terms and conditions that are associated with Stanford’s Enterprise Agreement with Amazon Web Services. These are generally more favorable to you and the University.