AWS at Scale #7: Why its important not to build everything in a single AWS account

Try not to build ‘The Matrix’ in a single AWS account.

Why?

🚩 No blast radius in the event of a security breach.
🚩 Service limits can impact all resources.
🚩 Inability to apply budgets and cost management.
🚩 Inability to recover services to alternative accounts.
🚩 Difficult to manage roles and apply boundaries.
🚩 Encourages shared credentials.
🚩 Blends dev, stage and prod environments together.
🚩 Highly complex permission boundaries.
🚩 Too many cooks have access to the kitchen.

A better approach:

🔸 Use AWS Organisations and Control Tower.
🔸 Use an AWS Account Factory.
🔸 Organise accounts into OUs with policies.
🔸 Segregate accounts into dev, stage and prod.
🔸 Ensure account permissions are segregated.
🔸 Segregate accounts for sandbox and standalone.
🔸 Apply budget thresholds and alerts.
🔸 Use AWS Private Marketplace
🔸 Avoid using VPC Peering
🔸 Promote the use of PrivateLink

Hope that helps!