Amazon Web Services - Baseline configuration
The Public Cloud team provisions every AWS account with the following baseline setup.
Access control
Definitions
- Account Owner - the person listed in the account request form as owner
- Account Technical Contact - the person listed in the account request form as the technical contact
Access
- The Account Owner is the primary administrator for the AWS account and is responsible for the account's maintenance and security.
- The Account Owner is assigned Administrator Access which has full privileges to manage resources and assign roles.
- The Account Owner and the Account Technical Contact are assigned Administrator Access for the account at the time of deployment.
- If the people listed as the Account Owner or Account Technical Contact need to be updated, please notify the Public Cloud Team by sending an email to cloud-services@cio.wisc.edu.
Security configuration
All AWS accounts are deployed with the UW Madison security baseline. The baseline contains the following configurations which are subject to be improved as new security concerns arise.
Security services enabled
GuardDuty: Threat detection service analyzing CloudTrail logs, VPC Flow Logs, and DNS logs
CloudTrail: API activity and audit logging
AWS Config: Configuration compliance recording and rule evaluation
AWS Logging: Centralized log aggregation (CloudWatch/S3)
VPC Flow Logs: Network traffic monitoring
KMS: Encryption key management
Budget alerts
Budgets are configured according to the values provided in the account request form.
Alerts are sent to the Account Owner, Technical Contact, and Financial Contact — the contacts listed when the account request form was filled out.
Notifications are triggered when spending reaches 25%, 50%, 75%, 90%, and 100% of the defined budget.
Billing
Each AWS account is placed in the appropriate billing structure based on the funding source.
Billing is processed monthly.
All charges are billed to your DoIT service billing information
.
.
Minimum monthly charges
Even when a newly provisioned AWS account has no customer-created resources, baseline security and logging controls can still generate charges, resulting in a minimum monthly cost of about $10 each month.
Baseline services that can generate cost
- AWS Security Hub
- Amazon GuardDuty
- AWS CloudTrail
- AWS Config
- AWS Logging
- VPC Flow Logs
- AWS KMS
Pricing references
- Security Hub: https://aws.amazon.com/security-hub/pricing/
- GuardDuty: https://aws.amazon.com/guardduty/pricing/
- CloudTrail: https://aws.amazon.com/cloudtrail/pricing/
- AWS Config: https://aws.amazon.com/config/pricing/
- CloudWatch: https://aws.amazon.com/cloudwatch/pricing/
- Amazon S3: https://aws.amazon.com/s3/pricing/
- Amazon VPC: https://aws.amazon.com/vpc/pricing/
- AWS KMS: https://aws.amazon.com/kms/pricing/
If you have any questions, feedback, or ideas, please Contact Us
.
.