Getting Started With Your AWS Account

Your account is ready when you receive the provisioning confirmation email from the Cloud Team. Follow the steps below to get set up.

Step 1 — Sign In

  1. Go to aws.cloud.ucsb.edu.
  2. Sign in with your UCSB NetID and password (Shibboleth SSO).
  3. On the AWS access portal, select your account name from the list.
  4. Choose a permission set:
    • PowerUser for day-to-day work
    • Administrator for IAM or billing tasks (use sparingly)
  5. Click Management Console to open the AWS Console.

Step 2 — Review Your Default Roles

Four IAM roles are pre-created in every account. You do not need to create IAM users or local passwords — all access is federated through UCSB Shibboleth.

Role What It Can Do
Administrator (ucsb-idp-administrator) Full access to all AWS services and resources, including IAM
PowerUser (ucsb-idp-poweruser) Full access to AWS services; cannot manage IAM
ReadOnly (ucsb-idp-readonly) View resource configurations and security posture
Billing (ucsb-idp-billing) View billing and cost data only

Use PowerUser for day-to-day work. Reserve Administrator for IAM changes and initial setup.

Adding and Removing Users

Use the “Manage Group Tags” tool at im.ucsb.edu:

  1. Log in with your UCSB NetID.
  2. Go to Admin Tools → Manage Group Tags.
  3. Find the group for your account role (e.g., ucsb-idp-administrator-123456789012).
  4. Owners can add and remove Members. Members are authorized for the role.

Only account owners have permission to add members. Owners are not granted the role themselves — add yourself as a member if you also want access.

Step 3 — Review Guardrails

Policy controls (SCPs) are applied at the organization level and cannot be modified at the account level. Before building, familiarize yourself with the key restrictions on the Guardrails page so you do not encounter unexpected Access Denied errors.

Step 4 — Configure Networking

If your request included campus network connectivity:

  1. Navigate to VPC → Your VPCs to confirm your VPC exists.
  2. Check VPC → Transit Gateway Attachments to confirm it is attached.
  3. Contact the Cloud Team (ServiceNow) if the VPC or attachment is missing.

If you only need internet access and no campus connectivity, a standalone VPC can be deployed via the Service Catalog.

Step 5 — Deploy Your First Resource

Use the Service Catalog to deploy pre-approved infrastructure templates. This is the fastest way to get compliant resources up and running.

For custom infrastructure, the AWS Console and CLI are both available. CLI access requires configuring the AWS SSO credential helper:

aws configure sso --profile my-ucsb-account
# SSO start URL: https://aws.cloud.ucsb.edu
# SSO region: us-east-1
# Choose your account and role when prompted
aws s3 ls --profile my-ucsb-account

Step 6 — Tag Your Resources

All resources must be tagged with the required tags. Missing tags will eventually trigger compliance alerts or resource removal.

See the Tagging page for required tags and allowed values.

Step 7 — Create a Budget Alarm

Set a Budget alarm so that you are alerted before you exceed your budget (see AWS docs: Create a billing alarm to monitor your estimated charges):

  1. In the Console, switch to the US East (N. Virginia) region, then navigate to CloudWatch → Alarms → All alarms.
  2. Verify a billing alarm exists and the threshold is correct.
  3. Confirm the SNS subscription is set to email you or your team.

Getting Help

Issue Where to Go
Access problems (can’t sign in, missing role) ServiceNow
Missing VPC, networking issues Networking
Policy violations / Access Denied Guardrails
Billing questions Cost Management
AWS service questions Enterprise Support — open a case in the AWS Console
Everything else ServiceNow