Best Practices FAQ

1. My customer already has an AWS Organization structure with a management account. They have workloads running in this account. Can they continue to do this when they move into the TD SYNNEX Organization?

For the following reasons, it is NOT recommended that anyone runs workloads in a management account:

• Security: It is against AWS security best practices to be continually logging in and out of your management account to provision workloads.
• Discounts: Workloads residing in a management account will only ever attract 3% distribution discount, regardless of the amount of discount you qualify for. They will not qualify for POD and CEI incentive discounts.
• The management account should be an empty construct, used solely to manage billing.

2. Are there any other ways in which my customer is responsible for securing their accounts?

Yes. They should make sure MFA is switched on for every login. For guidance, please refer to this document:

How to add an MFA Device to an OrgAdmin user – DLT Operations Center

3. Is moving into the TD SYNNEX Organization secure? Are you able to see into my customers environments and switch services and support contracts on?

No. TD SYNNEX only have access to the management account for billing purposes; we cannot access any member accounts. This is because TD SYNNEX operates under the AWS End Customer Account Model (ECAM). The management (payer) account is set up with a TD SYNNEX email domain, but all member (linked) accounts have the end customer’s root email domain. Under this model, we are set up as the payer so we own the root of the management account in the consolidated billing organization, and this is so we can receive the bill from AWS, but all AWS services are resold through the member accounts owned by the end customer.

If your customer would like a support plan or any new services to be switched on, they must do this themselves.

Please see the link for more information on ECAM: How AWS Partners can determine AWS Support plans in an organization | AWS Blog

4. Can TD SYNNEX raise support tickets to AWS for customers?

For the most part, no, but we can do this for any management accounts.

5. What is a Dedicated Payer account?

If a customer already has an AWS Organization structure (i.e., they have a management account with multiple linked accounts), they need a Dedicated Payer account as there can only be one AWS Organization (which is TD SYNNEX’s). The benefits of a Dedicated Payer account is that is opens up features such as Control Tower, IAM Identity Center, Security Hub, AWS Config, Service Catalog, Organization Units, Tag Policies and SCP’s. Dedicated Payer accounts can also utilize TD SYNNEX’s TechCARE break-fix service and our new Dashboards-as-a-Service (DaaS) FinOps tool.

If the customer has a standalone account (i.e., no AWS Organization structure), this account simply moves across into our TD SYNNEX Shared Payer as a member account.

6. Will I see CEI/POD/credits as soon as my account moves into the TD SYNNEX Organization?

No. We get all of these in arrears so if your account moves today, billing becomes live from 1st of the month (which is when AWS send us our bill). POD/CEI discounts and any credits you have will be applied in the following month.

7. Can my customer continue to use AWS Cost Explorer to see their billable amount?

No. When accounts move into the TD SYNNEX Organization, Cost Explorer will show the TD SYNNEX buy prices so we do not encourage customers to rely on Cost Explorer for billing information. As the partner, you should work with your customer to ensure you are the one that provides their billing information which is obtained from StreamOne ION. It is possible to prevent customers from accessing Cost Explorer using an IAM policy if necessary.

8. Can I set up StreamOne ION so that each of my customers has their own access to their own billing information?

Yes. This is done via the StoreFront feature. We recommend the following short training course to allow you to have the best experience with StreamOne ION possible:

Setting Up and Managing your AWS Business on StreamOne Ion : TD SYNNEX StreamOne Ion

9. What other tasks are there for me to complete for my customers in StreamOne ION?

Your customer support in StreamOne ION should be end to end, everything from setting up specific price books and margins for your customer, all the way through to assigning support plans to prevent a negative value on your bill. You will also need to update the billing FX rate manually in StreamOne ION.