Guide to Stanford AWS Setup
Learn how to set up and manage your AWS account
Before you set up an AWS Account
Review these considerations before you set up an AWS account:
- Learn about AWS costs. Costs can accrue quickly in an AWS account. If you are new to AWS, you may want to use the AWS Pricing Calculator to learn about cost before you submit your request and start to use your new account.
- Decide how to manage your AWS account. You can choose to manage the AWS account yourself or, if you have a support agreement with another group, you can have that group manage the account in AWS. Choose the appropriate options on the request form for either scenario.
- Learn how AWS accounts are named. A naming convention is followed for AWS account names. The request form will automatically present a prefix for your account and you can choose the remainder of the account name.
- Plan for AWS compliance requirements. AWS compliance requirements vary based on the types of data you will be using or storing in your account. AWS is authorized for use with High Risk Data ONLY when the AWS account is in compliance with the Minimum Security Standards for Infrastructure-as-a-Service (IaaS) and Containerized Solutions, the Administrative Guide Section 6.3.1: Information Security, and other regulatory requirements. If you are using High Risk Data with AWS, you must complete a Data Risk Assessment.
How your new AWS account is configured
Access to your AWS account is managed via Stanford workgroups. When your AWS account is created, three Stanford workgroups are automatically created. Contacts you entered on the request form are automatically added to those workgroups.
AWS Identity and Access Management (IAM) roles are granted based on the Stanford workgroup membership. The following chart shows who is assigned to each workgroup.
| AWS IAM Role | AWS IAM Role Description | Stanford Workgroup | Requester | Account Owner | Primary Technical Contact | Alternate Technical Contact | Primary Billing Contact |
|---|---|---|---|---|---|---|---|
| admin | Allows all actions for all AWS services and for all resources in the account | AcctNo-admin | |||||
| billing | Allows full permissions for managing billing, costs, payment methods, budgets, and reports | AcctNo-billing | |||||
| operations | Power User access | AcctNo-operations |
The Stanford workgroups are created with these parameters:
| Stanford Workgroup | Stanford Workgroup Admin | Nesting allowed | Member List viewable by |
|---|---|---|---|
| <YourAcctNo>-admin | Only System Admin | No | Admins only |
| <YourAcctNo>-billing | Only System Admin | No | Admins only |
| <YourAcctNo>-operations | Primary Technical Contact Alternate Technical Contact |
Yes | Any user |
You can add and delete members of the operations workgroup as you see fit. If you need to change the membership of the admin or billing workgroups, submit a Help ticket and list the members you want to add or remove.
How to secure data in your AWS account
You must adhere to the Minimum Security Standards for Infrastructure-as-a-Service (IaaS) and Containerized Solutions and the Administrative Guide Section 6.3.1: Information Security for all data used or stored in your AWS account.
AWS is suitable for Low, Moderate and High Risk Data and all AWS service offerings are available for use.
AWS is authorized for use with High Risk Data ONLY when the AWS account is in compliance with the Minimum Security Standards and any other regulatory requirements and a Data Risk Assessment is completed.
How to access your AWS account
You can access your account by going to awsconsole.stanford.edu
How AWS accounts are billed
Before you place your request for a new AWS account, you MUST obtain authorization from a valid approver for each Stanford Project-Task-Award (PTA) you plan to use.
While we will not hold the provisioning of the account for PTA approval, the approver you select will be required to confirm their approval once the request is submitted. The PTA approver(s) must agree to accept all charges incurred until such time as the PTA approver terminates approval, the service has been cancelled, or the PTA has been removed from the service.
Check valid approvers for a PTA you are planning to use prior to submitting your request.
Once your AWS account is created and in use, you can view usage information on the AWS Management Console in the Billing area (see below).
If you want to view billing information for past months that have already been charged to PTA(s), you can use the UIT Billing Dashboard. If you need help you can reach out to the UIT Revenue Operations team.
- Understanding Your Cloud Bill
- Stanford clients of AWS accounts, GCP projects,and Azure Cloud Services can expect to see a chargeback from UIT to their PTA afer 2 months of their initial cloud usage charge.
- Month A - Cloud provider charges for your usage. (Every 30-31 days)
- Month B - UIT receives invoice for Month A, and pays on your behalf.
- Month C - UIT issues a chargeback to your PTA for Month A invoice. (1st of each month)
- Tips for avoiding surprise charges
- Understand your cloud provider charges
- Charge amounts are pay as you go
- View AWS pricing calculator >> https://calculator.aws/#/
- View GCP pricing calculator >> https://cloud.google.com/products/calculator
- Check your billing console regularly
- Avoid overdraft of PTA by checking your usage and charge balance.
- Access your AWS Console >> https://awsconsole.stanford.edu/
- Access your Google Console >> https://console.cloud.google.com/
Click image to enlarge
How to learn more about AWS accounts
UIT Technology Training offers multiple online training solutions to learn about specific cloud computing environments, such as Cloud Academy and LinkedIn Learning. Cloud Academy requires the purchase of a monthly or annual license, and LinkedIn Learning is free for anyone with a full-service SUNet ID.
Cloud Providers (AWS, GCP) also offer training, both free and for a fee.
