Using AWS at U-M
U-M has an enterprise agreement with AWS that provides reduces rates and a waiver of normal data retrieval (or “egress”) charges. To participate in the enterprise agreement, U-M users must sign for accounts via the U-M MCloud service
AWS has extensive documentation covering all aspects of deploy and using their services.Below is a set of quick tips for getting started using various AWS resources. These are just general items to keep in mind. U-M also has documentation on how to get started.
Create an “administrator” group that has full access to all resources and management of account.
Create a “user” group that has access to resources you define. Add policy templates as per your need. Be sure to include Access to IAM so users can change their own password and setup other IAM service tools.
Create account for administrative purposes and assign to the “administrator” group. Use this account for most all your management activities. There is a special sign-in url assigned to your project “id#”.???.aws.amazon.com that your users defined below will use to login.
Now create user accounts that are assigned to the “user” group.
Each user then should login via that username and create their own resources. They should also create their own secret ID and Key pair under IAM. This allows them remote access to various resources via command line applications and APIs.
Since each EC2 instance has its own EBS volume, users should create a dedicated EBS volume to hold their data and applications. This volume can then be attached to any one instance for portability. This will be especially helpful when getting spot instances.
Create a small instance to configure the OS and associated applications, libraries or other tools to do your work. Save this as a snapshot and then an Amazon Machine Image (AMI) in your own library. Use this AMI when deploying compute instances so you do not have to spend time reconfiguring.
Learn about deploying, using and managing Spot instances. These have the potential to be ⅕ the cost of on demand instances.
You are charged for a node running regardless of whether your job is finished. If you are not going to actively monitor your jobs for completion we suggest running jobs via a script that includes an email statement to you that your job is finished and then also perhaps poweroff the node. This is one reason to have a data EBS volume to write data on instead of the instance volume. When spot instances are stopped, they are destroyed, including data on that volume.
Consider adding billing monitor alerts so that if total usage exceeds a certain dollar amount, you will be alerted via email.
Since EC2 is not a U-M IT managed service you are on your own for maintaining security of your instances. Please follow these minimum suggested tips to keep your Instance safe.
AWS makes use of ssh security keys for remote ssh login. Be sure to keep these safe.
To protect your instances from possible attack we suggest creating a “Security Group” with appropriate firewall rules for specific IP addresses and networks.
For U-M wired networks, add the following:
For off-campus U-M locations, contact your local IT group for your particular network.
If you intend to work from your home you should add that IP address as well. A sample would look like below for a home router IP address 100.101.102.103
Be advised that this address may not stay fixed, depending on your service provider policies. If you suddenly lose ability to remotely connect your IP address has likely changed.