One of the requirements of our partner agreement with AWS is that we “own” the payer account for all AWS accounts where we are the reseller. This applies regardless of the procurement route – G-Cloud, OCRE, OGVA or direct award. Many of the members we speak to are nervous about this requirement because they are worried that it gives Jisc too much access to their AWS resources.
In this blog I’ll outline what “owning” the payer account means and what we can do to reassure you that we won’t abuse that ownership.
What is the payer account?
AWS Organizations are a mechansim that allows AWS customers to manage and govern their AWS accounts. As an AWS partner, we also use AWS Organizations to manage the member and customer AWS accounts that we resell.
At the root of an AWS Organization is a payer account. The payer account is used both to manage the Organization and as the point of billing for all the accounts in that Organization. Other accounts within the AWS Organization are called linked accounts. Linked account bills are consolidated to the payer account and paid from there.
To put it another way, the payer account is exactly what it suggests – the AWS account that is responsible for paying the bills. In line with AWS best practice, payer accounts should only be used for billing and management purposes. All real work should be undertaken in separate linked accounts.
Why do Jisc need to own the payer account?
When you buy AWS from us, we are responsible for paying the invoices raised by AWS; we then invoice you for your AWS consumption and any associated managed services and/or other services.
As a membership organisation, we trust our members to pay their bills and we consider non-payment of invoices by our members to be a very low risk. However, AWS require all their partners, including Jisc, to have control of the payer accounts for their customers to prevent any unpaid runaway usage. Owning the payer account means that AWS partners, including Jisc, have break glass access to accounts they are responsible for.
What does “Jisc owns the payer account” mean in practice?
There is not much to it. All AWS accounts have a ‘root’ user and that user has an email address associated with it. When using Jisc as a reseller, the payer account root user email address must be one controlled by Jisc and in the
jisc.ac.uk domain. Jisc are also required to hold the credentials for that account. We protect all root users with a hardware token MFA and strong passwords. The MFA token and password are held securely by separate groups within Jisc. No single person has access to both the password and the MFA token, creating a “two key holders” approach to payer account root user access.
If Jisc do not trust us to pay the bills, why should we trust you with the payer account?
It is a reasonable question to ask. We can only reassure you that this is not a question of trust. It is a requirement of our AWS partner reseller agreement and is designed to limit our liability. All AWS partners are required to operate in this way.
What about linked accounts? Do we need to update them too?
No. Jisc only need to own the payer account. All other AWS accounts that are part of your AWS Organization remain unchanged. This means that linked account root user emails will remain unchanged and you are free to manage them as you like. Where customers are taking a managed service from Jisc, we may manage the root user credentials and MFA on your behalf, but this is not required.
What happens if we need access to our payer account?
In line with AWS best practice, for day-to-day management of your AWS account you should use IAM users and roles. For any Jisc members that are bringing accounts to Jisc, we recommend creating suitable administrative IAM users before migration if you do not already have them. On the rare occasion that you require access to the payer account root user, for example to change the account name, Jisc will work with you to make the changes. Remember that we only need to own the root user on the payer account, not the root users of linked accounts.
Is there another way?
Jisc manage AWS Organizations for both OCRE and G-Cloud customers. The payer account for these is already setup under Jisc. You have the option of bringing accounts into these AWS Organizations without any changes.
I’m still not sure, is there anything else you can do to reassure me?
AWS provide CloudTrail audit logs than can be used by you and your security team to monitor access to the root account. We have created a Lambda function that you can deploy with CloudFormation. This function is triggered by root user logins and can email you, your security team and your ops team should the root user be accessed. In this way you can monitor our promise that will not use the payer account and if we do, it is only with your permission. The Lambda function is based on a blog post from AWS and our take on it is available on GitHub.