AWS Service Overview

Introduction

Emory Amazon Web Services (AWS) is Emory University’s preferred and recommended cloud service for faculty-led computational needs. The service provides access to Amazon’s cloud computing services, including computing, storage, database, etc., with a few exceptions that have been blocked for security purposes. The service is a multi-mission platform that can facilitate the advancement of science, education, and service across the University.

For examples and use cases of projects using (or anticipating using) this service, please see the Faculty Use Cases link.  

Eligibility

The service is available to any active user within the Emory community when used for the purpose of conducting Emory business and used within the appropriate guidelines and terms of service. Because the service requires a financial commitment, only Emory faculty and staff can request the creation of an account. Once created, other Emory community roles, such as students, can be added. Collaborators under the context of an academic collaboration may also participate with the use of a sponsored account. Please note, the account owner has accountability for the costs accrued within their account. An active and valid 10-digit Emory SpeedType must be supplied and maintained by the account owner throughout the lifecycle of each account.  The account owner must be an authorized user of the SpeedType, and the SpeedType must have sufficient funds to cover all costs associated with the account.

For more information on initiating an account, please see the Account Creation page.

The AWS at Emory service has two classes of accounts: (1) “HIPAA-designated” accounts that will store and utilize electronic protected health information (ePHI) as part of Emory’s covered entity; (2) standard accounts that will not store or use sensitive data. Since Emory may only use services designed to be HIPAA eligible by Amazon, the HIPAA-designated accounts have a subset of services available. Beyond the difference in the number of available services, the Emory-specified controls are very similar for HIPAA and standard accounts.

Costs

As with most cloud providers, Amazon uses a ‘pay-as-you-go’ model, charging only for the services you utilize. Emory does not charge any overhead for these native AWS services, but rather passes the costs directly to the user. There may be some instances when a faculty member may wish to engage LITS or a research core or a consulting firm for additional help in managing a service, which may incur additional costs. To help estimate the costs, Amazon provides a calculator.

Please be aware that Amazon has three distinct costs models for its EC2 (compute) service: on demand, reserved, and spot. As pricing can vary depending on the cost model selected, we recommend learning a bit more about these pricing models before spinning up an EC2 service.

Billing

To facilitate the billing process, the AWS at Emory service will transfer the charges from AWS to the appropriate SpeedType in Emory financial system.

As part of the account creation process, the faculty or staff member must enter a valid SpeedType. The process will verify that the SpeedType is an active and the appropriate number of digits then log the person entering the SpeedType for auditing purposes.

Each account will have a single associated SpeedType. Currently, we are not supporting splitting expenses by SpeedType.

Current charges can be accessed through the reports in the AWS console. Historic charges are also kept within the VPCP app as well as accessible through Compass and the financial data warehouse reports.

As long as the use of the AWS services is used to directly support a specific research award and has a clear benefit, the service may be charged as direct expenses to research grants.

Technical Architecture

Based on the discovery work with faculty and their teams, the AWS at Emory service includes two types of Virtual Private Clouds (VPC) design in AWS accounts:

  • Type 1 (currently available) extends Emory’s network into the cloud with no direct access to the Internet without traversing back through Emory’s network and
  • Type 2 (on the roadmap) extends Emory’s network into the cloud with direct access to the Internet from AWS.

Most Emory use cases defined to date can be supported with a Type 1 VPC. Both types of VPC support public-facing applications. However, public-facing applications with a large user base may warrant a Type 2.

Each VPC will automatically be configured to have a pair of three network zones (public, private, and management) across two availability zones. 

For more details on the technical architecture, please see the AWS Technical Architecture design pages.

Information Security

Designated AWS services, when used through the AWS at Emory service, comply with Emory’s HIPAA policy and procedures and may be used with electronic protected health information (ePHI) and individually identified health information (IIHI) with the appropriate compliance authorization and user-based practices. For the current list of these services, please refer to the following updated list of AWS at Emory services for use with HIPAA workloads.

Use of an AWS HIPAA eligible service with a non AWS at Emory service account, such as a personal account, is not considered compliant with Emory’s HIPAA policies and should not be used with ePHI or IIHI.  

Any sensitive data used or stored in this service must go through the appropriate compliance authorization process. Identifiable data originating from the Atlanta VA, Children’s Healthcare of Atlanta, and Grady may have additional steps before they may be used in this service. Data that requires infrastructure compliant with PCI or FISMA may not currently be used in the service. Please contact us for other avenues.   

In order to assist with the protection of these services, the AWS at Emory service deploys risk detectors that check to ensure the account is not misconfigured in a way that may introduce significant risk. These detectors run frequently and will notify the account owners of changes needed to remediate these risks. A listing of all AWS services offered and their security measures and the impacts of these measures can be viewed in the AWS at Emory management application.

Additional details on information security can be found on the security and compliance page.

VPCP Application

In addition to traditional AWS console and command-line access, Emory users also have access to an AWS at Emory management application, known as the VPCP application, to manage Emory-specific aspects of their accounts, such as which Emory people can manage their accounts, Emory networking information, Emory firewall rules, Emory IP addresses, and Emory information security notifications. You can access the VPCP application from the AWS at Emory landing page.

Software Licenses

Some of software licenses that Emory has purchased for use may have provisions that prohibit their use on the cloud. Please see this article for more information on the site license software and their use in the cloud.

Support

There are many ways for you to get support. The options are outlined at this page.