University IT
Guide to Stanford AWS Setup
Amazon Web Services (AWS) provides a comprehensive suite of cloud services for Stanford researchers, students, and faculty to build, deploy, and scale applications and infrastructure. This quick start guide covers setting up an AWS account through Cardinal Cloud, accessing support, security and compliance, best practices, and connecting with the Stanford AWS team.
Whether you're a student exploring cloud computing for the first time or a seasoned researcher leveraging AWS for cutting-edge projects, this guide will equip you with the knowledge and tools you need to make the most of AWS at Stanford.
Step 1: Compliance
Compliance requirements vary based on the types of data you will be using or storing in your AWS account.
AWS is suitable for Low, Moderate and High Risk Data and all AWS service offerings are available for use. There are plenty of native security products and capabilities available that help you secure your network, infrastructure, endpoint and data stored in AWS.
AWS is authorized for use with High Risk Data and Protected Health Information (PHI) ONLY when the AWS account is compliant with Stanford's Minimum Security Standards and Administrative Guide, as well as other regulatory requirements.
If you are using High Risk Data or PHI, you must complete a Data Risk Assessment if the datasets are new. For existing accounts where data is being moved to AWS, a DRA is not needed. Additionally, for all accounts, one of the following groups must manage your account:
- Stanford Research Computing Center
- UIT Client Technology Solutions and Consulting (CTSC)
- Research IT-School of Medicine
From within AWS's Compliance Center, you can easily find cloud services that are HIPAA-Compliant, as well as guidelines on how to protect your PHI data in the cloud.
Step 2: Approval
Before placing your request for a new AWS account, you must obtain authorization from a valid approver for each Stanford Project-Task-Award (PTA) you plan to use.
Check valid approvers for the PTA you plan to use before submitting your request. The approver you select will be required to confirm their approval once the request is submitted.
PTA approvers must agree to accept all charges incurred until one of the following occurs:
- The PTA approver terminates approval.
- The service is canceled.
- The PTA is removed from the service.
Step 3: Submit
Set up your new AWS account with the account creation request form . Account provisioning typically takes one to two business days after you submit the form.
Step 1: Access
Once your AWS account is created, you will receive a confirmation email. The email also provides you with a login link that takes you to your new AWS account using single sign-on (SSO).
Step 2: Configuration
Access to your AWS account is managed through Stanford workgroups. When your AWS account is created, three Stanford workgroups are automatically generated. The contacts you entered on the request form are automatically added to these workgroups. AWS Identity and Access Management (IAM) roles are assigned based on Stanford workgroup membership.
The following describes the roles and workgroups created from the ServiceNow form input:
AWS IAM Roles
- Admin – Allows all actions for all services. Assigned to the primary technical contact and alternate technical contact.
- Billing – Provides permissions for billing services. Assigned to the account owner and primary billing contact.
- Operations – Provides Power User access. Assigned to the requester, account owner, primary technical contact, and alternate technical contact.
Stanford Workgroups
- <YourAcctNo>-admin – Viewable only by System Administrators. Nesting is not allowed. Membership list is viewable by administrators only.
- <YourAcctNo>-billing – Viewable only by System Administrators. Nesting is not allowed. Membership list is viewable by administrators only.
- <YourAcctNo>-operations – Viewable by the primary and technical contacts. Nesting is allowed. Membership list is viewable by any user.
You may add or remove members from the operations workgroup as needed. To change membership in the admin or billing workgroups, submit a Help ticket and specify the members you want to add or remove.
Step 3: Build
To begin building in your AWS account, see the full list of services. If you have any questions about these tools or would like to see sample solutions, reach out to the AWS account team on Slack at stanfordcop.slack.com and head to the slack channel, #aws-at-stanford.
Cost
In AWS, you only pay for what you use.
First, determine how you plan to run your application in the cloud, then use the AWS In-Console Pricing Calculator to estimate costs. The university discount negotiated between AWS and Stanford is applied in the calculator.
If you have questions about architecting in AWS or estimating costs for your workloads, contact the AWS account team for assistance via the Slack channel #aws-at-stanford.
Billing
You can view usage information in the AWS Console under the Billing section.
To view previous charges posted to your PTA(s), use the UIT Billing Dashboard. For questions, contact the UIT Service Systems & Solutions team.
Account owners, financial contacts, and PTA approvers should regularly monitor cloud account usage. Cloud accounts that have been inactive for at least six months (i.e., “forgotten accounts”) are not eligible for refunds.
Training
- Training solutions through UIT Technology Training
- LinkedIn Learning (free with a full-service SUNet ID)
- Paid on-demand courses through AWS Skill Builder
- In-person and virtual classes through Amazon
- Pre-recorded sessions via AWS's YouTube channel
- Cloud OnAir: a public channel that provides sessions on hot topics such as new products, certifications, etc.
- Get your Amazon Web Services Certification with a variety of certification paths (contact the AWS Account team to learn more)
I currently have an AWS account running outside of the Stanford Organization. How do I leverage the special discount AWS offered to Stanford and what else do I get?
Submit a ticket to Hosting Services for migration instructions. You will also get discounted pricing on AWS services, refunds for most or all of your data network egress charges, centralized billing through your organization's PTA, improved terms and conditions, seamless integration with Stanford's infrastructure and directory services, enhanced data security and compliance measures, and optional Enterprise Support for critical workloads.
What are Stanford’s AWS Security and Management Controls?
Stanford is currently using Wiz as its main cloud security tool. There are also some published security configurations performed on each AWS account listed here.
Is there a way to extend private Stanford IP address to AWS?
Yes, please see https://uit.stanford.edu/service/cloud-gateway to request for the service
