Estimated reading time: 4 minutes
If you missed our February NET+ AWS Tech Share, you missed a fascinating look at how institutions are reimagining their cloud strategies in response to shifting research demands and budget realities. From Penn State's innovative platform approach to UMBC's compliance-focused landing zone implementation, the discussion revealed practical solutions that could transform how your institution delivers cloud services.
Beyond Account Provisioning: The Platform Evolution
The conversation quickly turned to a compelling vision shared by Penn State in response to their campus consolidation initiative. Rather than continuing with traditional account brokerage, they're developing a comprehensive platform-as-a-service (PaaS) approach specifically designed for research workloads.
"What does the cloud team become?" emerged as a central question as Penn State outlined their strategy to provide pre-configured environments with standardized guardrails that researchers can use immediately—without needing cloud expertise. Their approach includes:
- Developing Terraform scripts that create account foundations with pre-configured endpoints
- Focusing on specific high-value services like EC2, EMR for data processing, and AI services like Bedrock and SageMaker
- Moving from account administrators to platform architects and research enablers
This evolution represents a significant shift in how central IT delivers value to researchers. By handling infrastructure complexity behind the scenes, Penn State is creating an environment where researchers can focus on their work rather than cloud management.
Balancing Compliance and Innovation in Healthcare Research
UMBC shared their journey implementing the AWS Landing Zone Accelerator (LZA) specifically for HIPAA compliance, with HITRUST certification on the horizon. Their architecture offers valuable insights for institutions balancing strict compliance requirements with research agility:
- Using a separate Master Payer account dedicated to healthcare workloads
- Designing environments specifically for lift-and-shift migrations
- Exploring Kion integration for enhanced governance
The discussion highlighted how the monthly LZA Community of Practice calls have become an essential resource for institutions navigating similar compliance challenges. These sessions bring together practitioners solving real-world problems with AWS architects offering implementation guidance.
Student Empowerment: Cloud Access in the Classroom
Two contrasting approaches to student cloud access emerged during the discussion. UVA's data science school is pioneering a service catalog approach that provides students with controlled yet powerful AWS environments, including access to TRN1.2xlarge instances for AI model training.
This contrasts with William & Mary's Kubernetes-based JupyterHub implementation, which offers simplified access for anyone with a W&M email address without requiring individual AWS accounts. Both examples demonstrate how institutions are creating purpose-built educational environments that balance security with accessibility.
What made these examples particularly valuable was hearing the practical implementation details directly from the teams involved—insights you can only get from peer institutions tackling similar challenges.
Practical Root Access Management Strategies
The session revealed diverse approaches to a critical operational challenge: managing root access to AWS accounts. From Penn State's targeted use cases to UVA's Control Tower implementation that eliminates password-based root access entirely, the community shared battle-tested strategies for balancing security with operational needs.
Several participants highlighted AWS's new capability to close accounts centrally without root credentials—a significant operational improvement that many weren't aware of before the discussion. These practical insights show how the community develops governance frameworks that balance security with operational efficiency.
What's Next: Learning Opportunities and Events
The AWS community calendar is packed with opportunities to continue these conversations:
- Internet2 Community Exchange (April 28-May 1, Anaheim)
- Higher Education Cloud Forum (May 20-22, New York)
- AWS Public Sector Summit (June 10-11, Washington DC)
- AWS IMAGINE (July 29-30, Chicago) – internal CFP deadline is April 22
For those looking to build cloud skills, the CICP CLASS Voucher Program offers specialized training including AWS Security in the Cloud, Solutions Architect Associate Certification, and Container Orchestration for Research Workflows.
March is Tech Jam month—a perfect opportunity to bring your specific cloud challenges and work through them with peers and AWS experts. These collaborative working sessions provide immediate, hands-on help with your most pressing implementation questions.
Join the Conversation
As higher education continues to face budget constraints while research demands grow more complex, these community conversations become increasingly valuable. The practical insights shared during this session—from platform architecture to compliance strategies—represent knowledge that would take months to develop independently.
NET+ AWS Tech Shares take place every other week. The next Tech Share promises to continue exploring these themes with practical demonstrations and real-world examples. Will your institution be represented in the discussion, or at least be there to listen in?
Be sure to check out the other blog posts we've written. As always, feel free to send any feedback to tmanik[at]internet2[dot]edu.