AWS Financial Account Management

 

Intended Audience: Amazon Web Services Account Owners and Financial Administrators

Table of Contents

I. Direct Billing Benefits
II. Account Owner Responsibilities
III. Available Tools from Amazon
IV. Additional Recommendations/Best Practices 
V. Reserved Capacity and Billing 
VI. Appendices

I. Direct Billing Benefits

Direct Billing for Amazon Web Services (AWS) provides three benefits:

  • Ensures coverage under Harvard University's Enterprise Agreement.
  • Leverages Harvard's aggregate service volume to provide volume discounts across all linked accounts.
  • Allows Harvard Affiliated Business Units and Schools to have Amazon monthly services charges passed through on the General Ledger instead of having to track and pay monthly invoices.

II. Account Owner Responsibilities

HUIT Central Billing provides the Direct Billing for Amazon as a convenience for payment processing only.

  • AWS Account Owners have accepted a fiduciary responsibility to manage the charges they incur on Amazon Web Services. 
  • HUIT Central Billing does not perform any financial management or oversight of any linked Amazon Accounts. 
  • HUIT does not send out detailed monthly itemizations of AWS charges. Each AWS Account Owner is responsible for pro-actively monitoring the AWS charges for their account using the tools that Amazon provides and/or the Amazon Web Service Detail Report  available on the HUIT Customer portal.

III. Available Tools

Amazon provides a few ways to monitor and analyze monthly charges for AWS accounts.

Monthly Billing Data Once an AWS Account is linked up for direct billing, the account owner will no longer receive monthly invoices from Amazon. However the account owner can still view monthly charges and a breakdown by service in the ‘Billing/Bills’ section. Read more...
Amazon Cost Explorer Provides a visual view of current and historical charges, with a breakdown by AWS service. Useful for analyzing growth. If resources in Amazon are tagged using the standard set of supported tags you can view costs by tag. Read more...
Cloudwatch Alerts Setup alerts that will send an email if an account's monthly usage exceeds a certain dollar threshold. Read more...

HUIT Central Billing provides an Amazon Web Services Detail report on the HUIT Customer Portal. This report provides each HUIT customer with a month by month view of total billing for all linked Amazon accounts, subtotals by AWS service and line item detail. 

IV. Reserved Capacity and Billing

Amazon provides the ability to purchase reserved capacity in its EC2 environment. Purchasing reserved capacity provides both a capacity guarantee and a significant discount vs on-demand pricing. Amazon, when computing monthly charges for linked accounts, uses a blended pricing model which effectively spreads the benefit of reserved instance purchases across all accounts. Amazon also provide unblended costs by account and HUIT uses these unblended costs in order to ensure that customers who purchase up-front capacity reservations (Reserved Instances) receive the full benefit of those purchases. However Amazon account owners, when using tools such as the Amazon Cost Explorer will still see the blended costs. In order to make it easier for customers to reconcile their Amazon costs using Amazon tools, HUIT statements and the GL, each month customers will see a charge for the blended costs as well as a separate charge for the difference between blended and unblended costs.

Itemcode MSO-AMAZON-ALL represents the invoiced cost per AWS account. These charges should be consistent with data you see in the AWS Cost Explorer. 

Itemcode MSO-AMAZON-DEBLEND represents the difference between invoiced cost and the unblended cost. If an AWS account has not purchased any capacity reservations but has taken advantage of other linked account purchased reservations, then this will probably be a small charge. If an AWS account has purchased capacity reservations, then this will probably be a credit(refund). 

V. Additional Recommendations

Additionally HUIT Central Billing has the following specific recommendations for large volume AWS Accounts (over $1000 per month):

  1. Ensure that there is at least one individual designated to review the monthly charges for each AWS account. The review process should include checking the current month's charges via the AWS console. Since HUIT bills a month in arrears for all AWS charges, it is recommended that monthly charges be monitored via Amazon -- and not solely based on HUIT statements. Note that Amazon's IAM can be used to provide specific individuals full access to billing information without sharing the AWS account owner credentials.
  2. If a single AWS account is hosting multiple applications/products, consider using AWS tags in order to more easily identify the charges associated with each application/product. When an AWS account is linked up to a master payer account, the set of tags available for cost analysis purposes is controlled by the master payer account. The available tags are identified in appendix I.
  3. Limit the number of individuals who are authorized to provision resources within an AWS account. Implement departmental processes or policies to maintain accountability for all AWS resources.
  4. Use multi-factor authentication for the account owner credentials to reduce the risk of unauthorized access to the AWS account.
  5. Use multi-factor authentication for all IAM users. At a minimum, use multi-factor  authentication for any IAM accounts with write-permissions to the AWS Console. 
  6. Be especially mindful when working with automatic provisioning/scaling services, high rate or non-symmetric services.
    1. Auto-scaling and automated service provisioning are great benefits of a cloud based architecture; however these capabilities can carry with them financial risk if not deployed correctly. Implement reasonable limits, verify their efficacy and analyze potential worst case costs.
    2. Amazon’s Glacier services are extremely cheap to write to but have a higher (and more complex) fee structure for data retrieval potentially including data transfer and separate retrieval fees. Analyze expected usage patterns and potential costs carefully.
  7. Consider whether Amazon's Reserved Instance or Spot Instance pricing models would make sense for your EC2 workload. Reserved instances allow you to receive a discount for paying for 1 or 3 years in advance. Spot instances allow you to take advantage of unused capacity within EC2 at discounted pricing.
  8. Stay abreast of current Amazon Service tiers and pricing to ensure that you have selected the most appropriate pricing model/tier based on your resource requirements.

For additional questions please email Cloud-Help@harvard.edu

V. Appendix.

Appendix I. Standard Tags available for Cost Analysis

When an AWS account is linked up to a master payer account, the set of tags available for cost analysis (eg. using the cost explorer) are controlled by the master payer account. The following tags are available for account owners to use. There is no need to use all of them, account owners should choose the tags that are useful to them: 

Please note that tag names are case-sensitive

owner

Individual responsible for resource

department

Department that owns or has responsibility for resource
environment Production, testing, development
project For resources that are associated with a specific project
product Product  or application or service
subproduct Component of product or application(implied hierarchical relationship with product)

Appendix II. Monthly Billing Data

Monthly billing data is available via the AWS Console

Screenshot of AWS Console Monthly Billing

Appendix II. Amazon Cost Explorer

Amazon Cost Explorer can be accessed via the AWS Console

Screenshot of AWS Cost Explorer

Appendix III. Cloudwatch Alerts

Cloudwatch Alerts can be accessed via the AWS Console. Additional documentation specifically on setting up Cloudwatch alerts for Billing is available here.