The HUIT standard for the design and management of AWS accounts to control for the lack of accountability and reduction in economies of scale that can take place in a large and decentralized institution.
aws_account_management_1.0.pdf | 274 KB |
aws_account_management_1.0.pdf | 274 KB |
Authors |
|
---|---|
Version | 1.0 |
Last Revised | 30-Jul-2020 |
Status | Published |
Document Type | Single Topic Guidance |
Audience Level |
|
Effective management of cloud-based IT infrastructure and costs in a large research university with a decentralized culture requires local control and decision making. However, without adequate visibility and control mechanisms at the university level, decentralized IT procurement and management can lead to a lack of accountability and lower economies of scale.
AWS account management and billing is fairly centralized within Harvard, but not completely so. The centralized approach has significant benefits to both HUIT and the University, but additional local account management capability would allow School partners to better manage their AWS costs and security requirements. A number of Schools have requested access to the AWS Organizations service in order to improve local account management.
1. Move to a limited multi-payer design necessary to use the AWS Organizations service in order to support HUIT partner and Cloud Shield 2.0 requirements.
2. Document a process for creating a limited number of additional self-service AWS ‘payer’ accounts that includes approval criteria and specific mitigations to protect University enterprise level interests.
3. Require the use of HUIT centralized billing for all Harvard AWS services.
4. Define and adopt security policies and practices related to payer accounts and the use of AWS Organizations to further enhance cloud security.
The design of the AWS payers model has several considerations, detailed below.
HUIT currently has a very limited the number of AWS payers1 with most accounts under the HUIT Payer and the General Payer.
The use of a predominantly single payer approach has the following benefits:
The disadvantage of this centralized single payer approach is that it limits the ability of local Harvard IT organizations to manage their own AWS accounts. Specifically, it prevents them from using the policy and account management tools available through the AWS Organizations service, and other associated technologies such as AWS Control Tower. This is because the root or top level in an Organization must be a payer account and there is no mechanism for the delegation of important administrative functions to sub-organizational units.
The use of multiple AWS payer accounts would support a more distributed management and control model. Using a dedicated payer account, various Harvard organizations would have greater control over local linked accounts and would be able to take advantage of the policy and account management tools available through the AWS Organizations service.
The drawbacks of a multi-payer model include:
HUIT partners would like to have local ability to:
Amazon now offers AWS Organizations, an account management service that enables the consolidation of multiple AWS accounts into centrally managed groups. AWS Organizations includes account management and consolidated billing capabilities to support budgetary, security, and compliance requirements.
The use of the AWS Organizations service would support the key requirement of creating and managing OUs3 but would also require a shift from a primarily single payer strategy to a multi-payer strategy to support the creation of root level organizational structures for Partner organizations.
Centralized billing is important for the following reasons:
Any solution must meet the following criteria:
A limited multi-payer model, using AWS Organizations and specific mitigation policies represents a balanced and effective approach and can meet the above criteria. Because the creation of additional payers results in added costs and complexity, the number of additional payer accounts should be limited and each addition should be carefully evaluated to balance costs and benefits.
The following specific policies should be implemented with a limited multi-payer model:
Visibility:
Billing:
Security:
Operations & Administration:
HUIT will continue to be the focal point for account, payer, and organization relationships with AWS. Over time, constructs such as AWS accounts, GL codes, and organizations will need to keep abreast of changes in technologies and usage.
The Cloud Community of Practice (Cloud CoP) and the Architecture Review Group (ARG) are venues for discussion and consideration for potential new Payers.
Schools, other organizations, and HUIT will use existing communications channels to convey issues, constraints, and new requirements. As necessary, unresolved issues can be presented to existing forums such as the CIO Council.
1. Two groups, HBP and DCE, have existing Payers that pre-date the creation of the current structure. In addition, a single exception has been given for FISMA compliance.↩
2. Vending occurs when organizations further delegate portions of their accounts, with some autonomy, to subsidiary organizations. ↩
3. Other requirements can be met without using Organizations ↩