Amazon Web Services (AWS), Importing Legacy Accounts into the Standard Organization

What is happening?

In an effort to streamline and enhance our AWS environment, we’re planning to incorporate all AWS accounts established before our implementation of AWS Organizations in mid-2022, commonly known as legacy accounts, into the current organization structure. This move is intended to create a more consistent, efficient, and user-friendly AWS experience.

The Cloud Enablement team will handle this update, ensuring a seamless and efficient transition. The process will be completed in batches so you may not notice changes immediately. Once your account has been updated the first change you should notice is the addition of new roles as listed below in the standard role assignment section.

This transition to the AWS Organizations structure will bring about changes in your account. This article elaborates on these changes you can expect and the benefits that the new structure will offer.

Contact aws-support@illinois.edu with any questions.

AWS Region Restriction

A restriction on AWS regions will be implemented for efficiency and compliance.

The available regions include:

• us-east-1 (N. Virginia)
• us-east-2 (Ohio)
• us-west-1 (N. California)
• us-west-2 (Oregon)

Please let us know if you are currently using resources in non-US regions. We can manually modify the migration process to disable this restriction.

Standard Role Assignments in AWS Accounts

The following standard roles will be created in AWS and AuthMan: Admins, PowerUsers, BusinessOffice, ReadOnly, and Prisma. See the KB article for details: Granting access to the AWS Console and Adding users to your AWS account.

Legacy-style AD groups for these roles (e.g. AWS-123456789012-Admins) won’t work anymore because the new AuthMan group will take precedence.

During the update, the new AuthMan groups will be populated with the users from the Legacy-style AD groups.

We recommend removing these AD groups after the migration to avoid future confusion.

Legacy-style AD groups that don’t conflict with these role names (e.g. AWS-123456789012-Foobar) will continue to work.

S3 Logging Bucket Naming Conventions

We have established predefined S3 buckets that are available for logging purposes. We encourage you to utilize these buckets for a variety of uses, such as logging for a load balancer, VPC flow logs, CloudFront, among others.

The logging buckets are region-specific, named as follows:

• uiuc-logs-<account number>-us-east-1 
• uiuc-logs-<account number>-us-east-2 
• uiuc-logs-<account number>-us-west-1 
• uiuc-logs-<account number>-us-west-2  

Please note, if these predefined buckets are deleted for any reason, our automated systems will recreate them.

Additional documentation on logging buckets, including use cases and examples, can be found here: Amazon Web Services (AWS), Logging Buckets

Public S3 Bucket Limitations

If your account currently has no public S3 buckets, it will be configured not to allow public S3 buckets (the default configuration for new accounts).  If you subsequently have a need to create public S3 buckets, you will need to contact aws-support@illinois.edu with your use case in order to enable public bucket creation.

Encryption Standards for EBS and EFS volumes

EBS Encryption by default will be enabled for your account, as described in Amazon Web Services (AWS), EBS Default Encryption. Existing unencrypted volumes and snapshots will continue to work.

This can cause issues if using Terraform to deploy EC2s. As mentioned existing volumes will continue to work but Terraform will need updated to make sure EBS volumes are encrypted on creation or attachment.

AWS Config permission issue

When creating a new Config, you may receive an error of 'not authorized to perform: config:PutConfigurationRecorder.' Send an email to aws-support@illinois.edu to request assistance from the cloud team.

Default Budget Creation

A default budget of $500 will be created in your account alongside a budget alert that notifies Admin and Business contacts when reaching 80% of said budget and again when reaching 300%. This budget can be edited.

Questions can be directed to aws-support@illinois.edu.