Establishing Your AWS Account

Establishing an AWS account under the UC Agreement

A UC-wide agreement for Amazon Web Services (AWS) has been established.

It is necessary that you complete all of the following steps to ensure an AWS account for UCSF business is covered under this agreement and in compliance with UC policy and the law.

  1. Understand Appropriate Use
  2. Create an AWS Account
  3. Generate a Purchase Order Number
  4. Activate your AWS Account
  5. Connect AWS Account to UC Agreement and Purchase Order Number
  6. Register AWS Account with PHI
  7. IT Security Review

Return to Overview page

1. Understand Appropriate Use

Review the following documents to understand the applicable terms and conditions, and allowable data use for AWS:

  • University of California AWS Enterprise Customer Agreement
  • Determine whether the data you are working with should be hosted in the cloud.
  • AWS has a core set of secure services, but it is up to each user to implement appropriate security controls and to comply with applicable University policies, notably policies relating to the protection of University data, electronic data security policies, and the UC Electronic Communications Policy. Under AWS’s Shared Responsibility Model, security and compliance is a shared responsibility between AWS and the AWS customer. Some of your responsibilities include, but are not limited to, patching, configuration management, logging, and monitoring. All applications must be reviewed by the IT Security Risk Management team. Please contact SOM Tech if you are planning on using AWS for sensitive or restricted data under the UCSF Data Classification Standard. SOM Tech provides free guidance and information in the areas of billing, procurement, AWS account creation, IT security review, legal and privacy issues, AWS org structure, and vendors.
  • In order to cover your location’s AWS accounts under the terms of the UC AWS Enterprise Agreement (EA) and HIPAA Business Associate Agreement (BAA), follow the instructions found on the UCOP website (PDF).

2. Create an AWS Account

If you have previously established an AWS account for UCSF business, then skip this step and continue to step 3, Generate a Purchase Order Number.

If this is your first time establishing an AWS account for UCSF business, follow the instructions below.

Create your account with AWS

  1. Use your UCSF email address to create a new Amazon login and password by selecting “I am a new user.”
  2. Provide the requested information.
  3. Completion of the AWS account creation process will generate your 12-digit AWS account number.

Following the process above enables UCSF faculty and staff to create an AWS account without providing a credit card. Do not provide a credit card.

3. Generate a Purchase Order Number

Please contact your department procurement specialist or UCSF Procurement for information on creating your purchase order.

4. Activate your AWS Account

You will receive an email response from AWS confirming your AWS account is now set up for invoicing under the UC AWS agreement and providing final instructions to activate your account. Follow the instructions in the AWS activation email and your account will be active and ready for use.

5. Connect AWS Account to UC Agreement and Purchase Order Number

UC has a systemwide contract with Amazon Web Services (AWS). Our agreement also provides Data Egress Fee waiver for up to 15% of total monthly AWS fees. The data egress wavier applies under the following parameters:

  1. Applies to fees for transfer of data from AWS to the Internet, and not fees for transfer of data within or between AWS services.
  2. Applies to all UC AWS accounts covered under the UC-wide AWS Agreement, except those accounts used for:
    1. Commercial Web Hosting
    2. Media Streaming
    3. Massive Open Online Courses (MOOCs)
  3. 80%+ of data egress under the account must be via an approved National Research and Education Network (NREN). This includes CENIC and Internet2, so normal UC usage meets this requirement.

Email UC’s AWS account representative, Matt Jamieson, to:

  1. Activate your new AWS account (if pertinent)
  2. Include your AWS account under the terms of the UC-wide AWS agreement
  3. Connect your AWS account to your newly created UCSF AWS Purchase Order number
  4. Establish monthly invoicing for billable activity under your AWS account

Include the following information in your email:

  • AWS 12-Digit Account Number
  • UCSF Purchase Order Number
  • Company Name = University of California, San Francisco (UCSF)
  • Your Name
  • Include this account in the UC-wide AWS agreement and the UC data egress waiver program.

Note: You will not be able to access AWS services until you receive a response from AWS (see below) confirming your account has been set up.

6. Register AWS Account with PHI

If your AWS account will be processing, storing, or transmitting Protected Health Information (PHI) as defined by HIPAA, you must take the additional step of registering your account under the AWS UCOP BAA. Email [email protected] with the following information and cc Matt Jamieson:

  1. The 12-digit AWS account ID
  2. Whether this account is an addition or removal from the BAA.
  3. The name of the UC campus with which the account is primarily associated.
  4. The name, role, and institution email address of the security point of contact for the above account. (This is the point of contact who would be alerted in the event of a HIPAA-reportable event.)

Once AWS has replied back that the request has been fulfilled, retain this email as confirmation of your request being completed.

Always employ due care when processing, transmitting, or storing sensitive information. See the UCSF Data Classification Standard for guidance, but SSNs, credit card numbers, and other personal information must never be stored in AWS. It is up to each user to implement appropriate security controls and to comply with applicable University policies, notably policies relating to the protection of University data, electronic data security policies, and the UC Electronic Communications Policy.

7. IT Security Review

Please be aware that you maintain responsbility for restricted data protection in the cloud. Your application must be reviewed by the IT Security Risk Management team. Please email SOM Tech if you would like more information about IT security review. SOM Tech provides free guidance and information in the areas of billing, procurement, AWS account creation, IT security review, legal and privacy issues, AWS org structure, and vendors.

Return to Overview page Top of page