How nonprofits can automate tax-exempt status across AWS accounts

Many nonprofits and other tax-exempt organizations need to make sure their tax status is correct across their Amazon Web Services (AWS) accounts. Tax-exempt organizations can have their tax-exempt status applied to their AWS account by opening a case in the Support Center. But as organizations grow larger and increase their use of the cloud, they may create new AWS accounts without the correct tax status applied. It can be a hassle to manually track down accounts with differing tax status and manually open support cases to resolve these differences. This effort distracts nonprofits and tax-exempt organizations from their overall missions.

To address this issue and ease the staff burden of manually identifying the tax status of multiple AWS accounts, I have built a tax analyzer to automatically detect the tax status of AWS accounts across an organization. In this blog post, I outline a simple solution that identifies which AWS accounts across an organization are paying sales tax, and show you how this solution can quickly remediate tax status by opening an AWS support case automatically.

Prerequisites

• The solution is currently designed to run in us-east-1, due to the endpoint address of the AWS Support API.
• The solution must be run from the payer account. The payer account must also have consolidated billing enabled. This solution also assumes you have requested a tax exempt status in the payer account.
• You must have previously viewed and enabled AWS Cost Explorer via the payer account. Please follow these directions to enable AWS Cost Explorer.
• This tax analyzer solution provides an option to automatically log a support case when an AWS account is identified that is paying sales tax. However, please note that automatic support case functionality is only supported for payer accounts with either Business Support or Enterprise Support. Learn how to change your support plan.

Solution overview

This solution deploys a AWS CloudFormation stack, which creates an AWS Lambda function to analyze the cost and usage data in the payer account, an Amazon EventBridge rule to fire the AWS Lambda function periodically, an Amazon Simple Notification Service (Amazon SNS) topic to notify of any account changes, and appropriate AWS Identity and Access Management (IAM) permissions so each component works correctly.

Procedure

Installing the analyzer

To install the tax analyzer, press the Launch Stack button or click here.

1. Once the CloudFormation Create stack screen appears (Figure 1), verify that you are in your organization’s payer account.

2. In the Parameters section, enter the email address that should receive alerts from this solution. If you want the solution to automatically generate a support case if an account is found that is paying sales tax, enter Yes in the box labeled Do you want a support case automatically created? Please remember that if you enter Yes, a support case will be automatically created only if your payer account has Business or Enterprise Support enabled.

Figure 1. Specifying configuration information for the tax analyzer solution.

In a few minutes, the solution should be fully installed. You will receive an email at the address you entered. Click the Confirm subscription link in the email to begin receiving messages from the tax analyzer solution.

Running the tax analyzer

The solution will run once a month without any involvement from the user. By default, it is scheduled to run on the 6^th day of the month at 8:00 AM GMT (3:00 AM US Eastern Time).

When the tax analyzer runs, it performs the following actions:

1. It calls the GetCostAndUsage API for the previous month, grouping data by LINKED_ACCOUNT and RECORD_TYPE. This allows the solution to view cost data across the organization.

2. If a tax record for an account is found with a non-zero charge, the solution assumes the account is paying sales tax.

3. If you specified that the solution should open a support case automatically, and if an account paying sales tax is found, the solution attempts to automatically log a support case to resolve the issue (Figure 2). Remember that a support case can only be created if the payer account has Business Support or Enterprise Support enabled.

Figure 2. An automatically created support case to add tax exempt status to an AWS account.

4. The solution reports back the findings by sending an email to the address entered during the installation process (Figure 3). The content of the email will change depending on whether accounts were identified that are paying sales tax and whether a support case was opened.

Figure 3. An email listing the accounts that are paying sales tax and the number of the support case that was automatically created.

Clean up

To avoid ongoing charges to your AWS account, you can use the CloudFormation console to delete the stack created as part of this demo. Choose the stack, choose Delete, and then choose Delete stack.

Cost considerations

This solution as designed activates once a month, so costs associated with this solution are designed to be low. Usage of some services may fall under the AWS Free Tier for some organizations.

In this solution, you pay for the amount of CPU and memory that the AWS Lambda function uses. For the latest AWS Lambda pricing, see our public pricing page. For Amazon SNS, you pay for the API publishes and notification deliveries associated with this topic. For the latest Amazon SNS pricing, see our pricing page. For accessing the AWS Cost Explorer API, you pay for each API request you make. For the latest AWS Cost Explorer API pricing, see our pricing page. Finally, with Amazon EventBridge, there are no additional charges for rules or event delivery.

Next steps

Nonprofits and tax-exempt organizations are already stretched thin on time. The solution outlined here helps tax-exempt organizations spend their time on mission critical demands, but still maintain the proper tax status across all their AWS accounts by automatically identifying the tax status of accounts on a rolling basis, and activating a remediation process immediately if the organization so chooses.

As a next step, check out our Nonprofit Technical Hub, which is a collection of cloud-based solutions for a variety of technical and business problems, vetted for your nonprofit by AWS. These solutions and tutorials are designed to help you move fast, so you can concentrate on your mission objectives instead of managing IT infrastructure.

Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.

Please take a few minutes to share insights regarding your experience with the AWS Public Sector Blog in this survey, and we’ll use feedback from the survey to create more content aligned with the preferences of our readers.