- AWS at Scale
- Posts
- AWS at Scale #7: Why its important not to build everything in a single AWS account
AWS at Scale #7: Why its important not to build everything in a single AWS account
If you're just starting out on AWS, try not to build everything within in a single AWS account, it will cause you nothing but problems.
Why?
🚩 No blast radius in the event of a security breach.
🚩 Service limits can impact all resources.
🚩 Inability to apply budgets and cost management.
🚩 Inability to recover services to alternative accounts.
🚩 Difficult to manage roles and apply boundaries.
🚩 Encourages shared credentials.
🚩 Blends dev, stage and prod environments together.
🚩 Highly complex permission boundaries.
🚩 Too many cooks have access to the kitchen.
A better approach:
🔸 Use AWS Organisations and Control Tower.
🔸 Use an AWS Account Factory.
🔸 Organise accounts into OUs with policies.
🔸 Segregate accounts into dev, stage and prod.
🔸 Ensure account permissions are segregated.
🔸 Segregate accounts for sandbox and standalone.
🔸 Apply budget thresholds and alerts.
🔸 Use AWS Private Marketplace
🔸 Avoid using VPC Peering
🔸 Promote the use of PrivateLink
In more advanced scenarios you can also consider using a mono repo with Gitops pipeline for segregated accounts allowing for a streamlines PR workflow when promoting IaC from the dev account through to stage and the production.
Hope that helps!
Reply