Welcome to the NET+ Amazon Web Services (AWS) wiki.
Many Internet2 member institutions take advantage of this service offering. If your institution is one of them then this wiki will provide details on how to make the most of your participation of the programming and interact with peers across Internet2 member institutions.
This program is open to all Internet2 higher education, affiliate and federal affiliate members as well as non-member higher education institutions. If you are looking details on how to join the program, please visit the Sign Up Tab of the NET+ AWS webpage.
You can also find out more about the Internet2 Cloud Connect offering for AWS Direct Connect.
Service Documentation and Resources
NET+ AWS Portal Identity Guidance - For end user self service AWS account requests
- InCommon-enabled Group to role mapping for AWS Accounts
- Cloud Controls Matrix - please email firstname.lastname@example.org
Higher Education Cloud Vendor Assessment Tool (HECVAT) - pending
Contract and Pricing:
NET+ AWS Enterprise Customer Agreement - please email email@example.com
- NET+ Infrastructure and Platform Services (IPS) Program Participation Agreement and Schedule - pre-req for subscribing to NET+ AWS
Participate in our Online Community (Subscribers Only):
Institutions participating in the NET+ AWS program may take advantage of our email discussion list and Slack channel to receive curated program updates and participate in other activities and events. Please contact firstname.lastname@example.org to be added.
Join the AWS Community Forum (Open to all community members):
Users of AWS are encouraged to join the AWS Community Channel in the Educause Cloud Community Group Slack. See the Higher Ed Cloud Community Conversation and Additional Resources page on the Cloud Wiki for instructions to join.
Collaborate on the Cloud Wiki:
Speaking of community, did you know about the Cloud Wiki? This was created specifically for YOU, members of the higher education community to collaborate with each other. Log in to see a Cloud Job descriptions page and contribute your knowledge!
Looking to share your latest Terraform config? Add it to the Cloud Wiki Helpful GitHub Repos list or email email@example.com to request access and create a repo in the Community Cloud Config GitHub organization.
Questions on Billing, AWS Orgs, or CloudCheckr:
Find answers to frequently asked question in these Knowledge Base articles.
- Organizations - Customer On-boarding and Management
- DLT Secure Handling Of AWS Accounts And Organizations
New Accounts created through Organizations do not include Support by default. To change this to DLT Business Support, follow the instructions in How To - Change AWS Support Option
- AWS Control Tower
To prevent DLT from getting 1000 credit memos for the Data Egress Fee Waiver (DEFW) payer, the discount is built into the utilization invoice. For Universities that have their own Payers, AWS is billing utilization at MSRP and then giving us credit memos for DEFW which is shown on the face of the invoice submitted to the customer. Does not appear on backup file. Does appear in CloudCheckr.
Key Program Updates
Subscribers may review our mailing list archives for monthly program and AWS updates.
Here are some recent items that community members have shared for using AWS in their higher ed environments:
Shelley Rossell from the Univerrsity of Chicago shares this useful document on Managing Guard Duty accounts with AWS Organizations. You can use this to name a GuardDuty master account for the organization and other accounts in the organization can be viewed and added as GuardDuty member accounts.
Shelley also shares a document from Amazon on how to use AWS SSO for easy authentication to the AWS CLI, which means that individual CLI users don't have to separately manage keys for access.
Aaron Hunnewell from the University of Virginia notes that he found this recent post on How to Manage AWS SSO Account Assignments in CloudFormation to be useful.
And Nathan Dors from the University of Washington has pointed us to this very useful example of how the UW is allowing AWS users to link Grouper groups to AWS roles.
Thanks to all who led the training, and special thanks to Danyell Wilt and the entire AWS team for providing great content and support for answering all the questions.
The video of the session is available at:
Here are Danyell's slides:
And here are Sara Jeanes' slides:
The Q&A from the session is here:
Peter Traub, Sr Cloud Infrastructure Engineer at University of Virginia has put together a great guide to adopting AWS Control Tower. His guide is now hosted on the NET+ AWS service page - AWS Control Tower Adoption Strategies.
Since last Spring, subscribers to NET+ AWS have had access to AWS Organizations, which provides a management framework for AWS accounts, and permits administrations to apply service control policies to various Organizational Units (OUs) within their Organization.
Late last Summer, AWS announce Control Tower, a feature native way to deploy accounts and enforce Guardrails in an AWS patterned way. This functionality was limited to deployment in a completely separate Organization, but in coordinating with a small team of schools, DLT and Internet2 devised a way to deploy Control Tower. These canary schools reported back that while Control Tower can be run, but most should hold off until Control Tower could be run natively in existing AWS Organizations. Today is that day.
Last night, AWS announce that Control Tower can now be run in existing AWS Organizations! While the participating schools are testing the functionality, it does appear Control Tower can be deployed within the OU of an existing Organization. The AWS team posted a blog post with additional details here: https://aws.amazon.com/blogs/field-notes/enroll-existing-aws-accounts-into-aws-control-tower/. If you are a NET+ AWS schools who has deployed an AWS Organization, you should be able to test out the functionality today. We would highly encourage you attend the bi-weekly AWS Orgs and Control Tower call to trade notes with your colleagues and share the pitfalls. We have also on more than one occasion found a bug that collided with common higher ed deployment patterns that needed to be reported back to AWS Engineering.
If you would like to attend the call, or request an AWS Organization for your university, please reach out!
The NET+ AWS Advisory Board, DLT, and Internet2 have worked over the last few months to update the subscriber Enterprise Customer Agreement (ECA). The ECA was last updated in 2017 to include a Business Associates Agreement (BAA) in the program.
With this now available update, subscribers can now access professional services from any participating Partner in the AWS Partner Network. To minimize the hurdles of engaging a Partner, these services can be accessed directly via Statements of Work delivered by DLT under this Agreement. Additionally, the BAA now includes a direct link to all HIPAA eligible services and no longer restricts HIPAA workloads to dedicated instances. To make use of these new features, subscribers will need to execute a new ECA. Please email firstname.lastname@example.org to get that process started.
We welcome you to join us on biweekly community calls. Our Wednesday morning call focuses on the Technology and tactics of running AWS as scale. Our Thursday call deep dives on the technical particulars of Organizations and Control Tower.
Reach out to email@example.com to be added to the invites.
The following topics are planned for the Wednesday Technology and Tactics call:
- 3/25 - A review of IPv6 on AWS
- 4/8 - A facilitate a conversation on AWS Educate
Hope you can join us!
The great thing about AWS Re:Invent is that all the sessions get posted to YouTube 48 hours after they happen. These two sessions are especially relevant to NET+ AWS subscriber. Thanks to Mark Larsen for flagging these.
Architecting security & governance across your landing zone (SEC325-R2) (aka AWS Orgs OU configuration recommendations)
Feel free to post additional session videos in the comments below.
NET+ AWS Service Advisory Board (SAB) Membership
- Gerard Shockley, Boston University, Chair
- Cornelia Bailey, University of Chicago
- Asbed Bedrossian, Emeritus
- Damian Doyle, University of Maryland Baltimore County
- Bob Flynn, Indiana University
- Jeff Gumpf, Case Western Reserve University
- Jim Jokl, University of Virginia
- Scott Kirner, University of Notre Dame
- David Lacey, J. Paul Getty Trust
- Chris Manly, Cornell University
- Rick Rhoades, Penn State University
- Jeff Schneider, College of the Ozarks
To Contact the Service Advisory Board
NET+ AWS Advisory Board Goals
- Internet2 NET+ Service Management firstname.lastname@example.org
- DLT Customer Team email@example.com
- DLT Ops Team
- Internet2 Program Manager: Oren Sreebny
Send Feedback or Submit a Feature Request:
The NET+ AWS program is managed by an Internet2 program manager with the support of the NET+ AWS Service Advisory Board.
The NET+ AWS Service Advisory Board reviews and priorities community feature requests on a periodic basis. Feature requests may be submitted to firstname.lastname@example.org.
- No labels