Intended Audience: Amazon Web Services Account Owners and Financial Administrators
Table of Contents
I. Direct Billing Benefits
II. Account Owner Responsibilities
III. Available Tools from Amazon
IV. Additional Recommendations/Best Practices
V. Reserved Capacity and Billing
VI. Appendices
I. Direct Billing Benefits
Direct Billing for Amazon Web Services (AWS) provides three benefits:
- Ensures coverage under Harvard University's Enterprise Agreement.
- Leverages Harvard's aggregate service volume to provide volume discounts across all linked accounts.
- Allows Harvard Affiliated Business Units and Schools to have Amazon monthly services charges passed through on the General Ledger instead of having to track and pay monthly invoices.
II. Account Owner Responsibilities
HUIT Central Billing provides the Direct Billing for Amazon as a convenience for payment processing only.
- AWS Account Owners have accepted a fiduciary responsibility to manage the charges they incur on Amazon Web Services.
- HUIT Central Billing does not perform any financial management or oversight of any linked Amazon Accounts.
- HUIT does not send out detailed monthly itemizations of AWS charges. Each AWS Account Owner is responsible for pro-actively monitoring the AWS charges for their account using the tools that Amazon provides and/or the Amazon Web Service Detail Report available on the HUIT Customer portal.
III. Available Tools
Amazon provides a few ways to monitor and analyze monthly charges for AWS accounts.
Monthly Billing Data | Once an AWS Account is linked up for direct billing, the account owner will no longer receive monthly invoices from Amazon. However the account owner can still view monthly charges and a breakdown by service in the ‘Billing/Bills’ section. Read more... |
Amazon Cost Explorer | Provides a visual view of current and historical charges, with a breakdown by AWS service. Useful for analyzing growth. If resources in Amazon are tagged using the standard set of supported tags you can view costs by tag. Read more... |
Cloudwatch Alerts | Setup alerts that will send an email if an account's monthly usage exceeds a certain dollar threshold. Read more... |
HUIT Central Billing provides an Amazon Web Services Detail report on the HUIT Customer Portal. This report provides each HUIT customer with a month by month view of total billing for all linked Amazon accounts, subtotals by AWS service and line item detail.
IV. Reserved Capacity and Billing
Amazon provides the ability to purchase reserved capacity in its EC2 environment. Purchasing reserved capacity provides both a capacity guarantee and a significant discount vs on-demand pricing. Amazon, when computing monthly charges for linked accounts, uses a blended pricing model which effectively spreads the benefit of reserved instance purchases across all accounts. Amazon also provide unblended costs by account and HUIT uses these unblended costs in order to ensure that customers who purchase up-front capacity reservations (Reserved Instances) receive the full benefit of those purchases. However Amazon account owners, when using tools such as the Amazon Cost Explorer will still see the blended costs. In order to make it easier for customers to reconcile their Amazon costs using Amazon tools, HUIT statements and the GL, each month customers will see a charge for the blended costs as well as a separate charge for the difference between blended and unblended costs.
Itemcode MSO-AMAZON-ALL represents the invoiced cost per AWS account. These charges should be consistent with data you see in the AWS Cost Explorer.
Itemcode MSO-AMAZON-DEBLEND represents the difference between invoiced cost and the unblended cost. If an AWS account has not purchased any capacity reservations but has taken advantage of other linked account purchased reservations, then this will probably be a small charge. If an AWS account has purchased capacity reservations, then this will probably be a credit(refund).
V. Additional Recommendations
Additionally HUIT Central Billing has the following specific recommendations for large volume AWS Accounts (over $1000 per month):
- Ensure that there is at least one individual designated to review the monthly charges for each AWS account. The review process should include checking the current month's charges via the AWS console. Since HUIT bills a month in arrears for all AWS charges, it is recommended that monthly charges be monitored via Amazon -- and not solely based on HUIT statements. Note that Amazon's IAM can be used to provide specific individuals full access to billing information without sharing the AWS account owner credentials.
- If a single AWS account is hosting multiple applications/products, consider using AWS tags in order to more easily identify the charges associated with each application/product. When an AWS account is linked up to a master payer account, the set of tags available for cost analysis purposes is controlled by the master payer account. The available tags are identified in appendix I.
- Limit the number of individuals who are authorized to provision resources within an AWS account. Implement departmental processes or policies to maintain accountability for all AWS resources.
- Use multi-factor authentication for the account owner credentials to reduce the risk of unauthorized access to the AWS account.
- Use multi-factor authentication for all IAM users. At a minimum, use multi-factor authentication for any IAM accounts with write-permissions to the AWS Console.
-
Be especially mindful when working with automatic provisioning/scaling services, high rate or non-symmetric services.
- Auto-scaling and automated service provisioning are great benefits of a cloud based architecture; however these capabilities can carry with them financial risk if not deployed correctly. Implement reasonable limits, verify their efficacy and analyze potential worst case costs.
- Amazon’s Glacier services are extremely cheap to write to but have a higher (and more complex) fee structure for data retrieval potentially including data transfer and separate retrieval fees. Analyze expected usage patterns and potential costs carefully.
- Consider whether Amazon's Reserved Instance or Spot Instance pricing models would make sense for your EC2 workload. Reserved instances allow you to receive a discount for paying for 1 or 3 years in advance. Spot instances allow you to take advantage of unused capacity within EC2 at discounted pricing.
- Stay abreast of current Amazon Service tiers and pricing to ensure that you have selected the most appropriate pricing model/tier based on your resource requirements.
For additional questions please email Cloud-Help@harvard.edu
V. Appendix.
Appendix I. Standard Tags available for Cost Analysis
When an AWS account is linked up to a master payer account, the set of tags available for cost analysis (eg. using the cost explorer) are controlled by the master payer account. The following tags are available for account owners to use. There is no need to use all of them, account owners should choose the tags that are useful to them:
Please note that tag names are case-sensitive
owner |
Individual responsible for resource |
department |
Department that owns or has responsibility for resource |
environment | Production, testing, development |
project | For resources that are associated with a specific project |
product | Product or application or service |
subproduct | Component of product or application(implied hierarchical relationship with product) |
Appendix II. Monthly Billing Data
Monthly billing data is available via the AWS Console
Appendix II. Amazon Cost Explorer
Amazon Cost Explorer can be accessed via the AWS Console
Appendix III. Cloudwatch Alerts
Cloudwatch Alerts can be accessed via the AWS Console. Additional documentation specifically on setting up Cloudwatch alerts for Billing is available here.