UTD Amazon Web Services

The key benefits of cloud computing services which entices the customers to the services are:

• Cost savings: The cloud allows you to trade capital expense (data centers, physical servers, etc.) for variable expense and only pay for IT as you consume it. Plus, the variable expense is much lower than what you can do for yourself because of the larger economies of scale.
• Deploy globally in minutes: With the cloud, you can easily deploy your application in multiple physical locations around the world with just a few clicks. This means you can provide a lower latency and better experience for your customers simply and at minimal cost.
• Agility: The cloud allows you to innovate faster because you can focus your valuable IT resources on developing applications that differentiate your business and transform customer experiences rather than managing infrastructure and data centers. With cloud, you can quickly spin up resources as you need them, deploying hundreds or even thousands of servers in minutes.
• Elasticity: Before cloud computing, you had to over provision infrastructure to ensure you had enough capacity to handle your business operations at the peak level of activity. Now, you can provision the amount of resources that you actually need, knowing you can instantly scale up or down with the needs of your business. This reduces costs and improves your ability to meet your users’ demands.

OIT provides IT services and support to eight different schools on campus that collectively provide more than 140 academic degrees. Some of the services provided by OIT to students, faculty and staff include but are not limited to:

• IT Security
• Communication and Collaboration
• Desktop Support
• Computer Purchases

Consulting services and support is available to researchers at UT- Dallas which provides technology support resources easily accessible, reliable and affordable to help them move forward with their research initiatives. Some of the services provided to researchers include (but not limited to):

• Access shared software at minimum or no cost
• Leverage common authentication, authorization and security services
• Help with writing grants that required cloud component
• Easy access to common dataset
• Resources required for experimentation
• System administration support and other resources and services

AWS Educate
As cloud computing continues to grow in popularity, the need for employees with knowledge and skills in cloud computing has also grown. In response to this growing need, Amazon Web Services (AWS) started an initiative called AWS Educate to provide students and educators with the training and resources needed for cloud-related learning.
As a member of AWS Educate, the University of Texas at Dallas proudly provides its educators and students with twice as many AWS credits, demos, and special on-campus programs. Professors, teaching assistants, and educators receive access to AWS technology, open source content for their courses, training resources, and a large support community. Students receive credits for hands-on experience with AWS technology, training, content, career pathways, and the AWS Educate Job Board.

Free training resources

• LinkedIn learning – Currently enrolled students and current faculties and staff have access to LinkedIn learning. This service is a leading online platform that helps anyone learn business, software, technology and other creative skills to achieve personal and professional goals. You can use your UTD credentials to access the courses on Linkedin learning. You can create a new LinkedIn account or an existing LinkedIn account and link it to your UTD LinkedIn learning account. It is not mandatory to be on-campus for using LinkedIn learning since you can access it from anywhere with an internet connection.
• Safari Books online – Safari Books Online contain a wide variety of electronic books, video, tutorials on a wide variety of subjects. Current UTD student, faculties and staff may access Safari. Please enter UTD Email Address to gain full access to the available resources. Some of the e-books available to students include computer science, engineering and business titles.
• Other e-books – Some of the additional resources include ProQuest E-book Central, IET Digital Library, SPIE Digital Library, etc. (follow the link to access it).

AWS Technical Essentials
This is a free one-day event delivered by AWS Education’s technical instructors. It helps the learners to step by step deep dive into AWS core services and learn terminologies and concepts like Database, Compute, Storage, Network etc., how to navigate management console, key concepts in security, Identity and Access Management (IAM). This foundation course is targeted to individuals interested in learning how to get started with AWS, SysOps Administrators, Developers, Solutions architects etc. and teach how to incorporate informed decisions about IT solutions into your business. 

In general, data egress refers to data leaving a network and making transit to some external network. Several universities have adopted “cloud” strategies to move all or most of their enterprise IT services to the cloud. These days, researchers are looking to commercial cloud providers as an alternative to building their own “clouds” through on-premises hardware. AWS is offering a data egress discount to qualified researchers and students at UTD, making it easier for them to use its cloud storage, computing, and database services by waiving data egress fees.

UTD OIT takes the security of its services and resources very seriously. One of the areas that OIT has focused on is providing a robust access control service to its Amazon Web Services (AWS) customers. AWS’s Identity and Access Management (IAM) service allows customers to manage users, groups, roles, and permissions. But it’s entirely up to AWS customers to properly configure IAM to meet their security and compliance requirements. The security at the Office of Information Technology is also ensured by Landing zone, DUO/SSO authentication. Cloud security at AWS is the highest priority. So as far as an organization leveraging the AWS service we have benefited from a data center and network architecture built to meet the requirements of the most security-sensitive organizations. An advantage of the AWS cloud is that it allows customers to scale and innovate, while maintaining a secure environment. Customers pay only for the services they use, meaning that you can have the security you need, but without the upfront expenses, and at a lower cost than in an on-premises environment.

AWS Landing Zone is a solution that helps customers more quickly set up a secure, multi-account AWS environment based on AWS best practices. With the large number of design choices, setting up a multi-account environment can take a significant amount of time, involve the configuration of multiple accounts and services, and require a deep understanding of AWS services. This solution can help save time by automating the set-up of an environment for running secure and scalable workloads while implementing an initial security baseline through the creation of core accounts and resources. AWS Landing Zone deploys an AWS Account Vending Machine (AVM) product for provisioning and automatically configuring new accounts. The AVM leverages AWS Single Sign-On for managing user account access. This environment is customizable to allow customers to implement their own account baselines through a Landing Zone configuration and update pipeline.

Duo’s secure SSO extends consistent and strong authentication to all your applications, whether on-premises or in the cloud. Users have the flexibility to choose any of the available authentication methods such as Duo Push, one-time pass code (OTP), SMS, phone callback. NetIDplus is UTD’s implementation of Duo two-factor authentication. NetIDplus combines your NetID account with your mobile phone or code-generating device to protect high risk systems. In order to help address the risk of increased attacks from scammers hoping to steal passwords and valuable university information, UTD has implemented DUO application to support two-factor authentication. Here, a mobile phone is linked to your account and scammers are prevented from accessing resources protected by two factor authentication, even if they possess your password, because they do not have your mobile device.

AWS Role and policies can ensure additional security for the data hosted at AWS platforms. AWS offers you capabilities to define, enforce, and manage user access policies across AWS services. This includes:

• AWS Identity and Access Management (IAM) lets you define individual user accounts with permissions across AWS resources
• AWS Multi-Factor Authentication for privileged accounts, including options for hardware-based authenticators
• AWS Directory Service allows you to integrate and federate with corporate directories to reduce administrative overhead and improve end-user experience

We can manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy when associated with an identity and resources defines their permission.These AWS policies will be evaluated when a principal entity (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents. AWS supports six types of policies: identity-based policies, resource-based policies, permissions boundaries, Organizations SCPs, ACLs, and session policies. IAM policies define permissions for an action regardless of the method that you use to perform the operation.

Policy Types

The following policy types, listed in order of frequency, are available for use in AWS. For more details, see the sections below for each policy type.

• Identity-based policies – Attach managed and inline policies to IAM identities (users, groups to which users belong, or roles). Identity-based policies grant permissions to an identity.
• Resource-based policies – Attach inline policies to resources. The most common examples of resource-based policies are Amazon S3 bucket policies and IAM role trust policies. Resource-based policies grant permissions to a principal entity that is specified in the policy. Principals can be in the same account as the resource or in other accounts.
• Permissions boundaries – Use a managed policy as the permissions boundary for an IAM entity (user or role). That policy defines the maximum permissions that the identity-based policies can grant to an entity, but does not grant permissions. Permissions boundaries do not define the maximum permissions that a resource-based policy can grant to an entity.
• Organizations SCPs – Use an AWS Organizations service control policy (SCP) to define the maximum permissions for account members of an organization or organizational unit (OU). SCPs limit permissions that identity-based policies or resource-based policies grant to entities (users or roles) within the account, but do not grant permissions.
• Access control lists (ACLs) – Use ACLs to control which principals in other accounts can access the resource to which the ACL is attached. ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document structure. ACLs are cross-account permissions policies that grant permissions to the specified principal entity. ACLs cannot grant permissions to entities within the same account.
• Session policies – Pass advanced session policies when you use the AWS CLI or AWS API to assume a role or a federated user. Session policies limit the permissions that the role or user’s identity-based policies grant to the session. Session policies limit permissions for a created session, but do not grant permissions. For more information, see Session Policies.

IAM Roles

An IAM role is very similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do in AWS. However, a role does not have any credentials (password or access keys) associated with it. Instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. An IAM user can assume a role to temporarily take on different permissions for a specific task. A role can be assigned to a federated user who signs in by using an external identity provider instead of IAM. AWS uses details passed by the identity provider to determine which role is mapped to the federated user.