What is happening?

In an effort to streamline and enhance our AWS environment, we’re planning to incorporate all AWS accounts established before our implementation of AWS Organizations in mid-2022, commonly known as legacy accounts, into the current organization structure. This move is intended to create a more consistent, efficient, and user-friendly AWS experience.

The Cloud Enablement team will handle this migration, ensuring a seamless and efficient transition. They’ll be contacting each account owner personally to discuss the process and update relevant account details. The actual migration of each account will only take a few minutes. However, as we have over 700 AWS accounts to migrate, there may be some time before we reach out to you to initiate your specific migration. Throughout this process, we aim to minimize any disruptions to your day-to-day operations.

This transition to the AWS Organizations structure will bring about changes in your account. This article elaborates on these changes you can expect and the benefits that the new structure will offer.

Contact aws-support@illinois.edu with any questions.

AWS Region Restriction

A restriction on AWS regions will be implemented for efficiency and compliance.

The available regions include:

• us-east-1 (N. Virginia)
• us-east-2 (Ohio)
• us-west-1 (N. California)
• us-west-2 (Oregon)

Please let us know if you are currently using resources in non-US regions. We can manually modify the migration process to disable this restriction.

Standard Role Assignments in AWS Accounts

The following standard roles will be created in AWS and AuthMan: Admins, PowerUsers, BusinessOffice, ReadOnly, and Prisma. See the KB article for details: Granting access to the AWS Console and Adding users to your AWS account.

Legacy-style AD groups for these roles (e.g. AWS-123456789012-Admins) won’t work anymore because the new AuthMan group will take precedence.

During the migration, the new AuthMan groups will be populated with the users from the Legacy-style AD groups.

We recommend removing these AD groups after the migration to avoid future confusion.

Legacy-style AD groups that don’t conflict with these role names (e.g. AWS-123456789012-Foobar) will continue to work.

S3 Logging Bucket Naming Conventions

We have established predefined S3 buckets that are available for logging purposes. We encourage you to utilize these buckets for a variety of uses, such as logging for a load balancer, VPC flow logs, CloudFront, among others.

The logging buckets are region-specific, named as follows:

• uiuc-logs-<account number>-us-east-1 
• uiuc-logs-<account number>-us-east-2 
• uiuc-logs-<account number>-us-west-1 
• uiuc-logs-<account number>-us-west-2  

Please note, if these predefined buckets are deleted for any reason, our automated systems will recreate them.

Additional documentation on logging buckets, including use cases and examples, can be found here: Amazon Web Services (AWS), Logging Buckets

Public S3 Bucket Limitations

If your account currently has no public S3 buckets, it will be configured not to allow public S3 buckets (the default configuration for new accounts).  If you subsequently have a need to create public S3 buckets, you will need to contact aws-support@illinois.edu with your use case in order to enable public bucket creation.

Encryption Standards for EBS and EFS volumes

EBS Encryption by default will be enabled for your account, as described in Amazon Web Services (AWS), EBS Default Encryption. Existing unencrypted volumes and snapshots will continue to work.

AWS Config permission issue

When creating a new Config, you may receive an error of 'not authorized to perform: config:PutConfigurationRecorder.' Send an email to aws-support@illinois.edu to request assistance from the cloud team.

Questions can be directed to aws-support@illinois.edu.