AWS Public Sector Blog

University of British Columbia Cloud Innovation Centre: Governing an innovation hub using AWS management services

AWS branded background design with text overlay that says "University of British Columbia Cloud Innovation Centre: Governing an innovation hub using AWS management services"

In January 2020, Amazon Web Services (AWS) inaugurated a Cloud Innovation Centre (CIC) at the University of British Columbia (UBC). The CIC uses emerging technologies to solve real-world problems and has produced more than 50 prototypes in sectors like healthcare, education, and research. The Centre’s work has involved 300-plus AWS accounts across various groups, including external collaborators, UBC staff, students, and researchers.

This post discusses the management of AWS in higher education institutions, emphasizing governance to securely foster innovation without compromising security and detailing policies and responsibilities for managing AWS accounts across projects and research.

High-level technical solution

AWS recommends using AWS Control Tower as a foundational landing zone for managing multi-account environments with prescriptive controls. It utilizes AWS Organizations to centralize the management of multiple AWS accounts, facilitating account management and consolidated billing. The UBC CIC adopted AWS Control Tower to regulate access to AWS accounts based on permission levels and employed Organizations for account oversight.

To minimize human errors and enforce policy compliance, the UBC CIC activated AWS security services such as AWS IAM Identity Center, AWS Security Hub, and AWS Identity and Access Management (IAM) for threat detection, identity management, and operational permissions.

As the team creates new AWS accounts, they organize them into organizational units (OUs) based on the specific application or service. These OUs help apply management controls like service control policies (SCPs). SCPs define allowable AWS service actions, thereby enhancing governance across various projects, stakeholders, and students.

Figure 1. Architectural diagram of the UBC CIC AWS Control Tower solution described in this post.

The diagram in Figure 1 shows the AWS management OU as the central hub orchestrating the AWS landscape. At the UBC CIC, capstone projects get dedicated spaces under the capstones OU. The project OU oversees accounts for prototypes developed for sponsors, centralizing resources and displaying progress or final versions, where students are the main users.

The sandbox OU serves as a space for students and faculty to experiment with AWS without affecting the broader ecosystem, fostering learning. The security OU secures operations with centralized audit and log archive accounts. Security Hub provides a unified view of alerts and compliance, while Amazon GuardDuty monitors threats and offers security recommendations.

IAM Identity Center allows controlled access and project transitions within the CIC’s environments. The suspended OU holds inactive projects, which are ready to be reactivated when necessary.

Name convention matters

The CIC team uses a shared mailbox, like awsadmin@domain, and extends it with plus email addresses (for example, awsadmin+project_name@domain) for new AWS account creations through AWS Organizations. This approach centralizes emails related to quotas and services maintenance, routing them appropriately and enhancing the visibility of account activities.

Additionally, using easily grouped account names aids in cost analysis. Filtering by linked account name in AWS Cost Explorer with a simple naming convention, such as FirstName-LastName-GroupName, is a strategic practice that demands consideration.

Associations of AWS accounts to the right people in the right role

The UBC CIC maintains a secure and compliant AWS environment by using IAM Identity Center and IAM to control resource access. IAM Identity Center acts as a centralized identity provider, managing access across various AWS accounts. The CIC defines and assigns permission sets to specific user groups, like students or researchers. These sets are tailored to match necessary privileges for designated roles, adhering to the principle of least privilege to minimize the risks of unauthorized access and configuration errors.

How does the UBC CIC manage multiple stakeholders?

Managing data permissions and access was a key challenge in the UBC CIC’s COVID19 MRI Model project, which involved collaboration between data scientists from AWS, UBC, and Vancouver General Hospital (VGH). They control permissions through AWS accounts and OUs. Data scientists access deidentified MRI data aggregated in a data lake and utilize high performance computing (HPC) and AWS services such as Amazon SageMaker for modeling. They also have a sandbox for testing without impacting the project.

Roles and service control policies (SCPs) enforce access restrictions to ensure security and minimize errors. Monitoring tools like AWS Security Hub and AWS Config track resource use and compliance. AWS Control Tower and AWS Organizations simplify onboarding and governance of the AWS infrastructure.

How does the UBC CIC provision AWS accounts?

The UBC CIC efficiently manages multiple AWS accounts for project collaborators by using a bulk creation approach, which addresses time sensitivity and reduces errors. They adopt best practices, utilizing AWS CloudFormation, Amazon DynamoDB, AWS Lambda, and Amazon CloudWatch Events to streamline the process. This involves deploying an AWS CloudFormation stack, validating details, and using Lambda to create accounts and track them in DynamoDB, all within an AWS Control Tower landing zone. This automation facilitates quick account setup for new teams and sandbox environments. To implement the bulk account creation solution, the UBC CIC followed the best practices described in How to automate the creation of multiple accounts in AWS Control Tower.

Figure 2. AWS solution for bulk creation of UBC CIC accounts. The major components are an Amazon S3 bucket, AWS CloudFormation, Amazon DynamoDB, Amazon CloudWatch Events, AWS Control Tower, and AWS Service Catalog.

Procedure of the bulk creation of UBC CIC accounts

Following is the description of the steps involved in the solution for bulk creation of UBC CIC accounts.

  1. Log in as the AWS Control Tower administrator and deploy an AWS CloudFormation stack.
  1. Launch AWS resources and initiate the batch account creation process.
  1. A Lambda function queries the DynamoDB table to obtain the details of the next account to create.
  1. A Lambda function launches the AWS Control Tower Account factory product in AWS Service Catalog to create and provision a new account. Following, the Lambda function generates the CreateManagedAccount lifecycle event.
  1. The CloudWatch Events rule detects the CreateManagedAccount lifecycle event, and triggers the CreateManagedAccountLambda function.
  1. A Lambda function updates the DynamoDB table with the results of the account creation workflow.
  1. DynamoDB stream triggers the CreateManagedAccountLambda function, and the process repeats from step 3.

How does the UBC CIC control costs?

The UBC CIC controls costs by using AWS Billing and Cost Management, implementing consolidated billing across its OU for centralized cost management. They use cost allocation tags to detail expenses by project, course, or student; enhancing visibility and facilitating chargebacks if necessary. Additionally, they have set up daily and monthly billing alerts at the organization level to inform their finance and technical teams if costs surpass set thresholds.

Figure 3. Architectural diagram of the UBC CIC solution for billing alerts. The major components are Amazon Simple Notification Service and Amazon CloudWatch.

How does the UBC CIC monitor and implement security?

UBC CIC employs AWS Security Hub for a centralized view on security and compliance. Integrated with Amazon GuardDuty, Amazon Inspector, and AWS Config, they streamline alerts and findings. Amazon CloudWatch monitors logs and manages security alerts. IAM and Amazon Virtual Private Cloud (Amazon VPC) provides stringent access controls and network isolation, while security groups and AWS Config rules safeguard network traffic and configurations. High-severity issues in AWS Security Hub must be addressed before project completion, and Amazon Q Developer reviews code for security during development.

In balancing innovation with security, students at the CIC have AdministratorAccess roles in their individual sandbox accounts for educational purposes, but face restrictions in project accounts, such as creating users and access keys, with a role based on the PowerUserAccess policy, extended IAM permissions, and restrictions on out-of-scope services.

Conclusion

The UBC CIC collaborates with AWS to manage hundreds of users across more than 50 diverse projects, showcasing their ability to orchestrate complex AWS environments. This experience emphasizes their proficiency in providing tailored, secure, and efficient solutions within a structured academic framework. The UBC CIC balances diverse project requirements while maintaining security and cost-effectiveness, serving as a model for other AWS customers. Their approach offers insights into best practices in AWS project management, access control, and cost management, making it a valuable example for optimizing AWS solutions for research and innovation. To learn more about the AWS governance services the UBC CIC uses, visit Management and Governance on AWS.