This document will help you get started with a newly created, or transferred, AWS account. 

What to expect from your AWS Account

If you have a DIT-managed AWS account you should know that:

• You will not have root access to the account.  This is maintained by DIT so that the account can be closed in the event that the account owner leaves the University. 
• No ability to use access keys and/or secret key access previously associated with root.
• No access to AWS Cost and Usage Reports (CUR).  Please use AWS Cost Explorer for information and/or data provided via DIT OneBill to understand your AWS costs.
• Accounts that are transferred into the UMD organization will receive a new account name.

Access

Log in to your account

Access to DIT provided AWS accounts uses SAML authentication and is a 2-step process. 

1. Users must first login as an IAM role based on their HR group.
2. Users can then assume 1 or more IAM roles related to functional tasks. These functional roles may be in multiple AWS accounts. VPN is required to complete this activity from off-campus. Visit access.umd.edu and click GlobalProtect Agent in the top right to download the version for your Operating System.

For detailed instructions on how to login to the AWS Web Console please refer to

• AWS Web Console login instructions
• AWS Command line interface login instructions

Grant access to your account

If additional users need access to this account you should add them to the associated Grouper group. For more information on how to access and manage groups within Grouper please refer to: Add Users to Access Groups using Grouper.

Roles

When a new AWS account is created and if an account is transferred to the DIT AWS organization, a new IAM role called DeptAdmin is created with full admin access.  An associated Grouper group is also created and should be used to grant access to the account.  This role has administrative access to the account and can do most things except for a subset of billing activities and tasks requiring root access.  If you need more granular roles defined for your account please contact IT Cloud Support

Billing

Bills for AWS services will be delivered via DIT One Bill.  For more information on One Bill please refer to: UMD AWS Billing Process

 If your account was recently transferred to the DIT managed AWS Organization the bill for the first month of services may be split:

• Services from the 1st day of the month through the date of the transition will be billed to the prior credit card on file.  Services from the date of transition through the end of the month will be billed via DIT One Bill on the 15th of the following month.
• To access the invoice for services billed to the credit card
  
  • Login to the AWS account.
  • Go to the AWS Billing console.
  • Select Payments. 
  • The "payments due" tab will display invoices yet to be paid.  The "transactions" tab will display invoices that have already been paid. 

Support

UMD maintains an Enterprise Support contract with AWS which is available to all member AWS accounts. Administrators can use the Support Center portion of the AWS console to open cases directly with AWS support. More information on the features and response times of Enterprise Support can be found at the following pages.

• AWS Support Plans
• AWS Enterprise Support