AWS Best Practices

AWS is Wharton's preferred cloud vendor. Wharton has AWS Enterprise Support and has integrated account creation for AWS, allowing payment via budget code. For information on obtaining an account see AWS Linked Accounts.


Enterprise Support

All Wharton faculty and staff with AWS linked accounts can contact AWS directly for Enterprise Support. 

If you want more information about Enterprise Support, ask your Wharton Computing Representative to contact Wharton Computing's ESS team on your behalf.


  • Every linked account must have a budget code associated with it. F&A will charge back costs to that billing code quarterly.
    • Wharton Research has a separate billing mechanism for users that use Research's AWS accounts. Those charges are billed back monthly.
  • Users can see the charges in their linked account by using the AWS Cost Explorer.
  • Wharton has a more sophisticated tool called CloudHealth that is available to all users. 
    • To log in, use [your Pennkey] and your Pennkey password
    • If you are interested in an introduction to CloudHealth,  ask your Wharton Computing Representative to contact Enterprise Solutions and Services.
    • CloudHealth is the only way to see charges for multiple AWS linked accounts at one time.
  • AWS provides a Cost Anomaly Detector that uses artificial intelligence to detect surprising upward deviations in spending. The detector can be set to send an email alert when anomalous spending crosses a threshold.
    • Users can set up cost anomaly detection on any single AWS linked account.
    • To set up cost anomaly detection across multiple linked accounts, or simply to get assistance, ask your Wharton Computing Representative to contact Enterprise Solutions and Services.

User Access

  • By default, each AWS-linked account has two roles, an administrator role and a read-only role. When the account is created, at least one person is assigned to the administrator role.
  • Wharton has implemented single-sign-on so that account users can log on with their Pennkey and password.


  • Account users can create their own roles and request that users be assigned to the roles.

User Authentication

  • Wharton strongly recommends that users authenticate with Pennkey whenever possible.
  • Pennkey authentication ensures that users who no longer have active Pennkeys cannot access AWS linked accounts.
  • If necessary, linked account users can create IAMusers.


  • AWS linked accounts are configured by default to follow AWS best practices for security. They use AWS Config, GuardDuty and Security Hub to monitor potential threats.


For more information, contact your Wharton Computing Representative