AWS Best Practices

AWS is Wharton's preferred cloud vendor. Wharton has AWS Enterprise Support and has integrated account creation for AWS, allowing payment via budget code. For information on obtaining an account see AWS Linked Accounts.

Enterprise Support

All Wharton faculty and staff with AWS-linked accounts can contact AWS directly for Enterprise Support.

To open a support case, see Amazon Support's article, Creating support cases and case management.
Enterprise Support includes:
- Unlimited 24x7 support
- Billing assistance
- Architectural reviews
- Proactive guidance

If you want more information about Enterprise Support, ask your Wharton Computing Representative.

Billing

All Wharton AWS Linked Accounts must have a budget code associated with it (see this article for more details). F&A charges back costs to the associated billing code quarterly.

Wharton Research has a separate billing mechanism for users who use Research's AWS accounts. Those charges are billed back monthly.

Linked Account owners can see their charges using the AWS Cost Explorer in the account’s console.

They can also request access to CloudHealth, a more sophisticated charge tracking tool, which includes:

The only way to see charges for multiple AWS-linked accounts at one time.
A Cost Anomaly Detector that uses artificial intelligence to detect surprising upward deviations in spending. The detector can be set to send an email alert when anomalous spending crosses a threshold.
- Users can also set up cost anomaly detection on any single AWS-linked account.
- To set up cost anomaly detection across multiple linked accounts, or simply to get assistance, email support@wharton.upenn.edu.

To request access to CloudHealth email support@wharton.upenn.edu.

Logging into CloudHealth

To log in after being granted access to CloudHealth:

Create and confirm a Broadcom account using [your PennKey]@upenn.edu
Go to CloudHealth and login with [your PennKey]@upenn.edu
If you are interested in an introduction to CloudHealth, ask your Wharton Computing Representative to contact the Infrastructure & Services team on your behalf.

User Access

By default, each AWS-linked account has two roles:

An administrator role
A read-only role

When the account is created, at least one person is assigned to the administrator role.

Wharton has implemented single sign-on so that account users can log on with their PennKey and password.

Roles

More finely scoped roles can be created to work with SSO. Email support@wharton.upenn.edu for more details.

User Authentication

Wharton strongly recommends that users authenticate with PennKey whenever possible:

PennKey authentication ensures that users who no longer have active Pennkeys cannot access AWS-linked accounts.

If necessary, linked account users can create IAM users. This is a less desired configuration as IAM users are not protected by PennKey MFA (Multi-Factor Authentication). Also, IAM user accounts will not expire when the account user is no longer affiliated with Penn.

Linked accounts do not have root credentials.

Emergency Account Access

Wharton Computing has the ability to elevate access to all linked accounts in the organization. Access for staff-linked accounts is set by the account owner.

Wharton Computing can shut down AWS systems in certain situations:

Security breaches - Wharton Computing can shut down systems that have security breaches.
Anomalous cost increases.

Wharton Computing’s senior leadership has to approve any emergency access to shut down resources in linked accounts.

Security

AWS-linked accounts are configured by default to follow AWS best practices for security.

They use AWS Config, GuardDuty, and Security Hub to monitor potential threats.

Questions?

For more information, contact your Wharton Computing Representative.