bCloud AWS Central FAQ

Service

What is the bCloud Service?

bCloud Service information can be found here.

Account

How do I login to my AWS Account?

You use your Calnet Account and password to login to your account at AWS Landing Zone

How do I request a new AWS Account?

You can request a new AWS Account by filling out our on-boarding form.

How do I request to migrate an existing AWS Account?

You can request to migrate an existing AWS Account by filling out our on-boarding form.

How do I use CalGroups to change or update permissions to my AWS Accounts?

To add or remove users using the CalGroup created for the AWS Account.

How do I decommission or remove AWS Account from bCloud AWS Central Organization?

Email to cloud-ticket@berkeley.edu to create a ServiceNow Ticket. (Please include the AWS Account # and AWS Account Name.)

How do I get notifications about bCloud-AWS-Central?

Email: bcloud-aws-central-announce+subscribe@lists.berkeley.edu to join the bCloud AWS Central Distribution List.

How do I change AWS Support Plan?

Email to cloud-ticket@berkeley.edu to create a ServiceNow Ticket. (Please include the AWS Account #, AWS Account Name and Support Plan Name )

AWS Support Plans

Can I migrate an AWS Account that is already in an AWS Organization?

In order to join bCloud AWS Central Organization, your AWS Account must first be removed from your current AWS Organization. 

Steps to remove an AWS Account from an Organization.

What AWS Regions are configured and monitored in bCloud AWS Central?

bCloud AWS Central is configured and monitors all four US Regions: 

us-east-1, us-east-2, us-west-1 and us-west-2.

You can still use regions outside of this list. However, we do not monitor or configure any other region and Campus Security Team won't receive any logs.

Can an AWS account be a member of more than one organization?

No. An AWS account can be a member of only one organization at a time.

How do I create an AWS User Account for users outside of UC Berkeley?

Creating an IAM user in your AWS account.

Permissions

How do I request a new AWS Role to integrate with CalGroups and AWS SSO?

Email to cloud-ticket@berkeley.edu to create a ServiceNow Ticket. (Please include the AWS Account # and AWS Account Name.)

Detail the permissions needed for the role and if you have a custom policy json, please provide that too. 

Can I still use IAM Users?

Yes, you can. But best practice is to use Calgroups and the SSO for console usage.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html

VPC

Transit Gateway

How do I connect to Campus using the Transit Gateway?

Email to cloud-ticket@berkeley.edu to create a ServiceNow Ticket. (Please include the AWS Account # and AWS Account Name.)

Also specify routing needed: 

The Serverless Transit Network Orchestrator (STNO) creates the following default transit gateway route tables: Flat, Isolated, Infrastructure, and On-premises. Each route table and suggested propagations include a policy for common use cases.

  • Flat: VPCs associated with the Flat policy can reach other VPCs associated with the Flat, Shared Services, or Hybrid policies. The Flat policy enables a VPC to have connectivity to many other VPCs.

  • Isolated: VPCs associated with the Isolated policy can only reach VPCs with the Shared Services and Hybrid policies. VPCs in the Isolated policy cannot use AWS Transit Gateway to connect to other VPCs in the Isolated policy. This policy is for VPCs that do not communicate with each other.

  • Infrastructure: VPCs associated with Shared Services can reach other VPCs associated with the Isolated, Flat, or Hybrid policies. The Infrastructure policy is used for VPCs that many other VPCs may rely on, such as shared authentication, shared tooling, or orchestration tools.

  • On-premises: This route table is used for connecting to on-premises through either VPN or AWS Direct Connect. Associate your On-premises connections to the On-premises route table

Customers need create a Transit Gateway Attachment from a VPC with at least one subnet attached. It can be a AWS CIDR Block or a subnet assigned by the bCloud Team. They will provide us with the VPC ID and we will assign a route (flat , isolated, infrastructure or on-premises) and propagated for the attachment.

Billing

How does IST Billing work for AWS Accounts?

The bCloud Team in Central Berkeley IT pays the AWS bill via a central PO, then pass the AWS charges to the COA that you provided durning setup. If you need to change this COA please contact us at cloud-ticket@berkeley.edu or istbill@berkeley.edu to start that process.

How do I get a detailed billing report?

Inside your AWS account, navigate to "Reports" and you can run a pre-made report, or customized your own. Then you can download the csv if you like.

https://console.aws.amazon.com/cost-management/home#/reports/overview

AWS Report screen shot in low resolution

How do I get an AWS Invoice for my account?

You can access your bill via the console under the billing page

https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/getting-viewing-bill.html

How is the EDP Discount Applied to our account(s)?

The EDP discount is applied to you bill once a month, and can be seen in your AWS Billing Portal under “Total Discounts” Total discounts EDP discounts of $2,799.66 will be applied to your eligible spend.

Security

Is Campus Security Team monitoring AWS Accounts that are Data Classifications of P3 and P4?

The Campus ISO Team is receiving raw logs from all accounts in the bCloud AWS Central Organization and are using ArcSight Enterprise Security Manager to scan logs for security vulnerabilities.

This isn't P3 and P4 ready monitoring or certified environment. Users will still have to enable a flow log for all VPC's in their environment to forward logs to the bCloud AWS Central CloudTrail.

Resource Links

Additional Information

  • Best practices for managing AWS access keys: link
  • AWS Security Blog: link
  • Security best practices in IAM: link
  • IAM Policy Simulator: link
  • AWS Pricing Calculator: link
  • Actions, resources, and condition keys for AWS services: link
  • AWS System Status: link