Category Archives: AWS

Info about setup and management of AWS accounts.

AWS NetID Authentication

AWS NetID Authentication

Posted on by Posted in AWS

Setup

iSchool IT can set up NetID authentication for UW AWS accounts. The process requires an AWS account number, so new AWS accounts will have to be created first:

  1. Once the AWS account # is created, iSchool IT sends a request for UW-IT to create a ‘stem’ in the UW groups service.
  2. iSchool IT uses the AWS group stem to create one or more ‘role-based’ groups and corresponding roles (with matching names) in AWS IAM.
    1. iSchool IT always creates an ‘admin’ role group that contains the project admins and iSchool IT, and allows these members to have full rights on the AWS account. This group also doubles as an email list for AWS communications.
    2. Project ‘owners’ (e.g. faculty associated with the AWS account) are also added as ‘member managers’ of the UW groups. This allows the project owners to directly add/remove members from the access role groups for the AWS account.
    3. Other roles that only grant selective access (e.g. ”ProjectA-viewer”) can also be created based on specifications from the AWS project admins. 

If you need to make create/remove roles after the initial setup, or transfer ownership of an AWS account, please send an email to ihelp@uw.edu

Usage

Login

Once the UW groups are set up, users should use this AWS NetID login link:https://idp.u.washington.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=urn:amazon:webservices

  • If a user is a member of more than one AWS groups in the UW groups service, then the UW authentication server will display a menu of the available AWS accounts/roles that the user can login to.

Adding / Removing Users

AWS project owners can add/remove users from the UW groups that represent the access roles for their AWS account(s).

To find AWS groups associated with your NetID, login to your UW groups listing and use your browser’s search function (CTRL+F in Chrome) to find the phrase “u_weblogin_aws”… You can also use the UW groups search function and type your own netid into the “Find Administrators” section:

Any AWS role-based access groups in the results will be listed in the following format of “u_weblogin_aws_AWSACCT###_AWSAccountName-RoleName“. Example:

  • u_weblogin_aws_1234567890_awsawsomeproject-admins

To verify who can modify the membership, click on the link below the group name and look near the bottom of the “General Information” page for “Member managers.”

Anyone list in the “Member managers” section may add/remove users by selecting the ‘membership’ link near the top and entering one or more NetIDs in the Add or Remove boxes:

AWS Account Setup or Transfer

Posted on by Posted in AWS

This process applies to new AWS account setup or transfer an existing AWS account for use on iSchool research or projects. In other words, if the iSchool is involved in paying the bill, you need to use this process for setup of AWS resources.

To get started, send a request to ihelp@uw.edu. iSchool IT staff will need coordinate with you to complete the transfer process. It may help to review the role responsibilities listed in the AWS overview to better understand how each party is involved. Below are the steps that iSchool IT will work through with you to complete the AWS setup/transfer process:

Step 1: Obtaining a BPO (linked to the correct budget) is a necessary prerequisite. This is done by the finance specialist assigned to the project budget. Further info for the BPO requestor: https://itconnect.uw.edu/wp-content/uploads/2016/02/AWS-BPO-How-to-V1.pdf

Step 2a: The requestor must provide iSchool IT info about the AWS account:

  • Will this be a “STRIDES Workload Application?” (more info)
  • Will this account contain HIPAA data?
  • Will this account be used as ‘dev/test’ or ‘production’ environment?
  • What is the anticipated use case?
  • Will additional selective-access roles (e.g. ‘database-reader’) be needed for individuals/groups?
    • If so, describe the required roles, and who will be assigned to them…
  • What is the BPO#?
  • What is the anticipated monthly budget for this account (rough approximation in $)?
  • Do you want DLT’s business support? (adds 10% surcharge on usage, on a monthly basis)
  • Department and project name?
  • Preferred name for AWS account?
    • We recommend that names be chosen based on the funding source/department, rather than the intended use
  • Lead contact info: the project owner’s name, email, phone#.
  • Purchasing officer contact info: the name, email, phone# of whomever arranged the BPO.

Step 2b: When transferring an existing AWS account, the requestor must share the AWS root login credentials with iSchool IT. The iSchool IT staff can suggest safe means to share account login details. Do not share sensitive info via email!

Step 2c: For existing accounts, iSchool IT will create a request with UW-IT to enable SSO. For new accounts, this has to wait until the AWS account # is created (Step 4).

Step 3: iSchool IT will submit a transfer/new account request to DLT on the user’s behalf and assist with answering any questions that come up. DLT’s account setup/transfer process usually takes a couple weeks, but may take longer if there are complicating factors. At the completion of their process, DLT will provide account setup links for https://app-us.cloudcheckr.com, which is a convenient alternative management console for AWS resources.

Step 4: AWS UW NetID SSO setup – iSchool IT will request an AWS account stem in UW groups, and create a UW group that can be used for admin logins and double as the root email address for the AWS account. This ensures that notifications related to the AWS account are forwarded to all ‘admins’ on the account. iSchool IT will also create any additional ‘selective-access’ groups that are required. The “lead contact/account owner” designated during the setup process will be granted the right to add/remove members from these groups directly to minimize administrative difficulties.

Step 5: iSchool IT will create a corresponding ‘Admin’ role in the AWS account which will allow the project admins full access to the AWS account using their NetID. If additional ‘selective access’ roles were requested, iSchool IT will also create those as well.

At this point, the standard AWS setup is complete and ready to use…

AWS Overview

Posted on by Posted in AWS

At the iSchool, any AWS accounts that are paid from funds (grant or otherwise) managed by the iSchool should be created/converted to UW AWS accounts. This allows the iSchool to utilize payment via BPO, and adds other savings and features detailed in the linked service description. All UW AWS accounts are set up via a 3rd party company called DLT.

Role responsibilities:

AWS account owner/operator:

  • Oversee AWS account budget & actual costs
  • Ensure use of AWS resources in accordance with project purposes
  • Responsible for security of all data and AWS resource configuration
  • Manage project member access to AWS account resources (add/remove as needed)

iSchool IT:

  • Facilitate new AWS account setup and existing account transfers to DLT
  • Establish iSchool AWS ‘best practices’ and process documentation
  • Configure UW accounts/groups to ensure consistent AWS notifications/administration
  • Configure UW NetID logins and access management groups for AWS accounts

DLT:

  • Creates AWS accounts under their ‘management account’
  • Acts as primary contacts on AWS accounts (if AWS tries to contact the account holder).
  • Offers management interface

UW-IT:

  • Defines the service requirements with AWS for UW accounts
  • Maintains the contract with DLT
  • Approves individuals to request an AWS account via DLT