This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.
# Introduction
With AWS, you can requisition compute, storage, and other services on demand, gaining access to a suite of secure, scalable, and flexible IT infrastructure services as your organization needs them. This enables educators, academic researchers, and students to tap into the on-demand infrastructure of AWS to teach advanced courses, tackle research endeavors, and explore new projects – tasks that previously would have required expensive upfront and ongoing investments in infrastructure.
For more information, see [Cloud Computing for Education](https://aws.amazon.com/education/) and [Cloud Products](https://aws.amazon.com/products/).
To access any AWS service, you need an AWS account. Each AWS account is typically associated with a payment instrument (credit card or invoicing). You can create an AWS account for any entity, such as a professor, student, class, department, or institution. When you create an AWS account, you can sign into the AWS Management Console and access a variety of AWS services.
**Protect these security credentials and do not share them publicly. ** For more information, see [AWS security credentials](https://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html) and [AWS Management Console.](https://aws.amazon.com/console/)
If you require more than one person to access your AWS account, [AWS Identity and Access Management](https://aws.amazon.com/iam/) (IAM) enables you to create multiple users and manage the permissions for each of these users within your AWS account.
A user is a unique identity recognized by AWS services and applications. Similar to a user login in an operating system such Windows. macOS, or Linux, each user has a unique name and can identify themselves using various kinds of security credentials.
A user can be an individual, such as a student or teaching assistant, or an application, such as a research application, that requires access to AWS services. You can create users, groups, roles, and federation capabilities using the AWS Management Console, APIs, or a variety of AWS Partner products.
For instructions on how to create new users and manage AWS credentials, see [Creating an IAM user in your AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_SettingUpUser.html) in the [https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_Introduction.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_Introduction.html).
Depending on your teaching or research needs, there are several ways to set up a multi-user environment in the AWS Cloud. The following sections introduce three possible scenarios.
**Topics**
+ [Scenario 1: Individual server environments](scenario-1.md)
+ [Scenario 2: Limited user access to the AWS Management Console within a single account](scenario-2.md)
+ [Scenario 3: Separate AWS accounts for each user](scenario-3.md)
+ [Comparing the scenarios](comparing-the-scenarios.md)
# Scenario 1: Individual server environments
This scenario is excellent for labs and other class work that require users to access their own pre-provisioned Linux or Windows servers running in the AWS Cloud. The servers are running in [Amazon Elastic Compute Cloud](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html) (Amazon EC2) instances.
The instances can be created by an administrator with a customized configuration that includes applications and the data needed to perform tasks for labs or assignments. This scenario is easy to set up and manage. Users in this scenario do not need their own AWS accounts, or credentials for any other servers. Since these users don't have an AWS account, they cannot allocate additional resources in the AWS Cloud.
## Example
Consider a class with 25 students. The administrator creates 25 private keys and launches 25 Amazon EC2 instances—one instance for each student. The administrator shares the appropriate key or password with each student and provides instructions on how to log into their instance.
In this case, students do not have access to the AWS Management Console, AWS Command Line Interface, or AWS APIs, which prevents them from accessing other AWS services. Each student gets a unique private key (Linux) or sign-in credentials (Windows) along with the public hostname or IP address of the instance that they can use to log in.
# Scenario 2: Limited user access to the AWS Management Console within a single account
This scenario is excellent for users that require control of AWS resources, such as students in cloud computing or high performance computing (HPC) classes. With this scenario, users are given restricted access to the AWS services through their IAM credentials.
## Example
Consider a class with 25 students. The administrator creates 25 IAM users using the AWS Management Console, AWS Command Line Interface, or APIs, and provides each student with their IAM credentials and a login URL for the AWS Management Console. The administrator also creates a permissions policy that can be attached to a user group or an individual user to allow or deny access to different services.
Each student (IAM user) has access to resources and services as defined by the access control policies set by the administrator. Students can log in to the AWS Management Console to access different AWS services as defined the policy. For example, they could launch Amazon EC2 instances and store objects in [Amazon Simple Storage Service](https://aws.amazon.com/s3/) (Amazon S3) buckets.
# Scenario 3: Separate AWS accounts for each user
This scenario, with optional consolidated billing, provides an excellent environment for users who need a completely separate account environment, such as researchers or graduate students. It is similar to [Scenario 2](scenario-2.md), except that each IAM user is created in a separate AWS account, eliminating the risk of users affecting each other’s services
## Example
Consider a research lab with 10 graduate students. The administrator creates one management AWS account, which will own the AWS Organization. Then, the administrator provisions separate AWS accounts for each student within the AWS Organization. For each account, the administrator creates an IAM user in each of the accounts or manages the permissions through single sign-on users for each student and applies [access control policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html). Users receive access to an IAM user/role within their AWS account.
Users can log in to the AWS Management Console to launch and access different AWS services, subject to the access control policy applied to their account. Students don’t see resources provisioned by other students, because each account is isolated from each other.
A key advantage of this scenario is that students can keep their accounts after the completion of the course. Each account can be set up as a standalone account, outside the AWS Organization. If the students have used AWS resources as part of a startup course, they can continue to use what they have built on AWS after the class, semester, or course is over.
# Comparing the scenarios
The scenario you should select depends on your requirements. Table 1 provides a comparison of key features of these three scenarios.
* Table 1: Comparison of scenarios *
| | Individual server environments | Limited user access to AWS Management Console | Separate AWS account for each user |
| --- | --- | --- | --- |
| Examples | Undergraduate labs | Graduate classes | Graduate research labs |
| Example uses | Labs or course work requiring a virtual server, AWS service, or separate application instance | Courses in cloud computing or labs requiring variable resource needs (such as HPC) | Courses for startups, thesis, or research projects |
| Separate AWS accounts required for each user | No | No | Yes |
| Major steps for setup | Create and allocate Amazon EC2 resources and associated credentials | Create IAM users, create policies, and distribute credentials | Create separate member AWS accounts plus the steps in the [Setting up Scenario 2: Limited user access to AWS Management Console](setting-up-scenario-2-limited-user-access-to-aws-management-console-within-a-single-account.md) section |
| Users can provision additional AWS resources, resulting in additional charges | No | Yes, depending on IAM services provided to users | Yes, depending on IAM services provided to users |
| Users have access to AWS Management Console or APIs | No | Yes | Yes |
| User charges paid by the management AWS account | Yes | Yes | Yes, if consolidated billing is used |
| Separation between user environments | Yes, based on resource access configuration | Yes, if optional resource- based permissions are configured | Yes |
| Individual user credit cards or invoicing required | No | No | No, if consolidated billing is used |
| Billing alerts can be used to monitor charges | Yes | Yes | Yes |
A large number of real-world use cases can benefit from implementing these scenarios. This section focuses on the education sector where multi-user, shared environments are required for setting up online classes, labs, and workshops for students. Both user and resource management are critical in these scenarios. Depending on your specific requirements, any of these scenarios can be used for setting up classrooms in the AWS Cloud. The following sections describe each of these scenarios in more detail.