Amazon Web Services — AWS
Creating AWS accounts for the Columbia community under the University’s enterprise agreement and consolidated billing.
Also known as AWS, AWS sub-account and AWS consolidated billing.
Columbia University negotiated an enterprise agreement with Amazon Web Services (AWS) in December 2015. If you are a faculty member or administrator who uses AWS for Columbia purposes, your AWS account is required to go through the University Enterprise Agreement. Student and personal AWS accounts are not covered under the enterprise agreement.
This agreement provides a number of benefits to faculty and staff, most notably the ability to pay for AWS services in a manner that is in compliance with University procurement policy. It also also provides intellectual property protection, liability and other protections.
As of April 2017, Columbia University has signed a Business Associate Agreement (BAA) with Amazon Web Service (AWS), permitting Columbia users that are appropriately enrolled to host Personal Health Information (PHI) in AWS, while maintaining HIPAA compliance.
How to set up a compliant AWS account:
- If you already have an AWS account that you use for Columbia business and pay for with a personal credit card or a P-Card, then you will need to link your account to the University’s Enterprise Agreement. Submit our online request form.
- If you do not already have an AWS account, you will need to request one through CUIT’s Enterprise Agreement. Submit our online request form.
Please keep in mind:
- For compliance with the University’s Acceptable Use Policy and data classification policies, we ask that users who link their accounts review these policies when completing our request form as part of the linking procedure.
Account owners who wish to leverage the BAA must complete the following:
- Contact CUIT by submitting our online request form to enroll your account, or call 212-854-1919 for assistance.
- Review AWS' documentation at https://aws.amazon.com/compliance/hipaa-compliance/ and ensure that all additional requirements are met. For example, only select services are covered under the BAA agreement; users must ensure they comply with AWS' restrictions.
- Ensure that all AWS services and applications handling PII (personally identifiable information) or PHI (protected health information) are registered in the Columbia University and Columbia University Irving Medical Center (CUIMC) risk assessment application (RSAM), and will be securely assessed by the appropriate Information Security Office.
FAQ
Requesting a new AWS account through the University Enterprise Agreement will generate a ticket with CUIT to open a new account using the chart string you provide in your request. Within 10 days, CUIT will set up a shell account and billing details for you and will provide you with the details for logging into your new account.
Through your AWS account dashboard, you will work directly with Amazon Web Services to select the features and services you will use within AWS. The cost of your AWS usage is based solely on the services you use within AWS.
Once you have submitted a request to link your existing AWS account to the University Enterprise agreement, CUIT will work with Amazon to have your account migrated to our Enterprise Agreement and charged back to the chart string that you provide in your request. You will continue to access and use your AWS services as you normally do. Only the billing for your account will change.
Yes, you can change the chartstring you use for this service at any time by sending a service request to the CUIT billing department.
CUIT will not split charges for one AWS account across multiple chartstrings. However, there are two options available to allow you to split your AWS charges:
- Create ARC journal entries to split your charges across multiple projects as needed. AWS provides powerful cost allocation tags to help you track the cost for the individual AWS services usage, which you can then use for your own billing allocation and reconciliation.
- Optionally, you can create separate AWS accounts for each chartstring and allocate your AWS usage to each account accordingly.
CUIT will only bill you a single total each month, based on the billing details that AWS provides us based on your usage. As the AWS Account owner you have access to detailed billing information for your account at any time, by visiting the AWS Billing and Cost Management Console. From the dashboard you can see historical invoice details as well as current month-to-date spending, to help you keep track of and manage your account usage and associated costs.
Please note: AWS charges will appear as “Telecom” charges in ARC.
As described in the question about billing [link to the Where can I see the details behind my monthly bill? question], the AWS Billing and Cost Management Console provides historical invoice details, as well as current month-to-date spending specific to your AWS account. All AWS accounts linked to the University Enterprise Agreement have the following access to the AWS Billing and Cost Management Console:
- Console Item
- Dashboard
- Access level for linked accounts
- Full Access
- Console Item
- Bills
- Access level for linked accounts
- Full Access
- Console Item
- Cost Explorer
- Access level for linked accounts
- Full Access - though it says ask payer
- Console Item
- Budgets
- Access level for linked accounts
- Locked
- Console Item
- Reports
- Access level for linked accounts
- AWS Cost and Usage Reports are not available. Other reports are available.
- Console Item
- Cost Allocation Tags
- Access level for linked accounts
- Locked. Customers will need to contact CUIT to add cost allocation tags.
- Console Item
- Payment Methods
- Access level for linked accounts
- Full Access, though the consolidated billing configuration is not visible.
- Console Item
- Payment History
- Access level for linked accounts
- Full Access, though only history prior to linking is available. Consolidated billing information is not visible.
- Console Item
- Consolidated Billing
- Access level for linked accounts
- Full Access. Shows the option to unlink billing.
- Console Item
- Preferences
- Access level for linked accounts
- Locked
- Console Item
- Credits
- Access level for linked accounts
- Full Access
- Console Item
- Tax Settings
- Access level for linked accounts
- Full Access
- Console Item
- Dev Pay
- Access level for linked accounts
- Accounts using Dev Pay should contact CUIT before linking.
See the AWS Billing and Cost Management documentation for details. While AWS does not provide a means to cut off service after reaching a threshold, you can set billing alerts with dollar thresholds which will trigger an email to you if those thresholds are exceeded. However, it is your responsibility to manage your account’s usage.
No. AWS allows only one Free Tier account for consolidated billing, so all linked accounts shared in the University’s single consolidated billing free tier for the 12 months beginning December 2015.
AWS shares pricing for unused reserved EC2 and RDS instances among all accounts in the consolidated billing family. The account that purchased the reserved instance gets first “dibs”. If however, there’s extra reserved capacity left over at the end of the month—that would otherwise be forfeited—this capacity is instead shared by any other linked accounts that match (in other words, is of the same server type in the same availability zone). You can read more about how this works.
No. Each AWS Account independently subscribes to a support plan level (or Basic Support at no charge).
The Enterprise Agreement negotiated between Columbia and AWS has several improvements of the “standard” AWS agreement. These include:
- Improved security, privacy and audit protections
- Branding and intellectual property protection for Columbia University
- Extended times to “exit” the service should Columbia and AWS decide to part ways
- Compliance with University Procurement and IT Security Policies
To get started, AWS provides online and in-person training. CUIT also coordinates training and information-sharing for the Columbia community through an AWS User Group for the University that meets periodically throughout the year.
From a daily use perspective, the changes are not significant. We are linking these AWS accounts to Columbia’s master billing account, so the most notable difference is that your method of payment changes from a credit card to an ARC Chartstring. In an effort to keep the process simple, each customer’s AWS account (identifiable by its 12-digit account number) will be kept separate rather than attempting to merge multiple customer accounts together.
If you do not already have an AWS account, and would like an account to use for Columbia University business, simply submit an online request. Please note that, per University policy, you will need to provide a chartstring for all AWS account billing.
No. Student use is not covered for two reasons:
- Billing is via ARC Chartstring only.
- The University will not assume liability for student actions.
AWS Educate is a program that operates independently of the AWS Enterprise Agreement. It has its own contract and is designed for student and instructor use. AWS Educate provides grants in order to make the cost of learning to use AWS free. However, it currently requires account holders to provide a credit card to cover charges in excess of the grant amount. As such, Columbia University cannot recommend AWS Educate for our students as we cannot and will not require them to take on an unspecific debt risk. We have asked AWS to come up with an approach that would cut off usage in excess of the grant amount, but that capability does not currently exist.