Amazon Web Services at U-M FAQ

What resources are provisioned in my account?
  • VPC with Dedicated Private IP Space
  • VPC Flow Logs on all VPCs in US-East-1
  • Default Security Groups
  • Splunk logging for Cloudtrail Events
If I request a new account, how long will it take to be created?

New accounts will take two to three business days.

Can we use our own IAM accounts until the integration is ready?

Yes, your IAM users will continue to work as before; however, the sign-in link will change. If you let us know we are happy to provide the new link as soon as it changes.

Do any of the new resources affect current running workloads?

No, the only change is the link to sign into an IAM account. All of our resources are value-add and do not affect workloads currently running in the account.

Can integrated accounts have API keys?

No, we are investigating this possibility, but API keys are not currently supported. An IAM account without console access will be sufficient to use the API keys.

Will IAM accounts login/passwords be disabled at some point?

No, you can continue to use IAM accounts to complement the IAM policies in your account.

Is there an additional cost?

Only for the VPN. AWS changes about $35/month per VPN connection.

Does the sign in URL work for the root account?

No, to sign into the root account go to the AWS Console and provide your root email address.

Does integration work for root accounts?

No, root accounts access can not be integrated.

Are there any limitations to using consolidated billing?

Amazon has resolved the issue of sharing Reserved Instances and credits. They now stay with the account to which they were applied. However, if an account has credits and a shortcode all usage charges will use up the credits first before anything is applied to the shortcode.

How can I give federated users different access in my account?

Create a group in MCommunity for those users and create an IAM Role with a matching name. See Enabling Single Sign-On.

Can I run workloads in my account but charge another shortcode than the one used for my whole account?

Yes, by adding a tag to the resource with a key of 'shortcode' and a value of the six digit (including leading zeros) short code. Note that not all AWS resource types support this.  

There are a few caveats with this feature.  The tag is actually embedded in the usage detail used for billing, so only charges accrued after the tag is created will be impacted.  Also, if a tag is removed all charges that were accrued up until the point of removal will be charged to the shortcode. 

It is also important that this value be changed before a shortcode is terminated.

This is part of an automated billing process so the cloud team cannot alter this.  In the event an adjustment is needed your local finance team should be able to perform a journal transfer.

What support contracts are provided with Amazon?

Amazon provides basic support. Customers can optionally pay for increased support from Amazon.

Can students use AWS at U-M?

Unfortunately, only Faculty and Staff can use the services provided by AWS at U-M. 

Should I use the Red Hat or Microsoft Amazon Machine Image (AMI), or can I use U-M's existing license?

Windows Server must be run on a dedicated host or instance. For Microsoft Server and SQL, we recommend selecting a Windows Server AMI and use U-M's license to install SQL. More details can be found at Microsoft Licenses.

U-M's license for Red Hat can also be brought into AWS by sending a request along with your AWS account number to the U-M AWS support team.

Is AWS HIPAA Compliant?

General use of AWS for HIPAA data is not permitted at this time. U-M ITS continues to work with Michigan Medicine Corporate Compliance, the U-M data steward and compliance owner for HIPAA data, to establish processes and practices for the appropriate collection, processing, storage, and maintenance of HIPAA data in the Cloud. Please contact the AWS Support Team if you have any questions regarding using AWS for HIPAA data.