Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
https://docs.aws.amazon.com/whitepa...
Tl;dr new account for every isolated security zone. AWS doesn't make this easy. GCP isolates by projects automatically, and OCI has granular and nestable multi tenancy baked in. -
retoor120181yNot experienced with aws but for me it's obvious to create an account per project. You want to split bills and stuff or give the account to customer eventually
-
If there is a plan for the account to be later owned by someone else, just use a different account.
If you plan to go with multiple accounts don't forget to enable organizations and consolidated billing.
For my personal project, I have 5 accounts:
- Management account: For Identity Center users
- Shared services account: For resources to be shared among several projects, like Dynamo table
- App Account: To host project specific resources only
- Networking Account: Hosting Route53 and shared VPC
- Logs & Archives account: I redirect logs there that can be redirected to different accounts, and setup CloudWatch to display logs from other accounts
- Audit (to be deleted): Used for CloudTrail and AWS Config but then the bill increased cuz of AWS Config so I decided to drop that, like 5$ for two weeks for one Dynamo table, one lambda, one cloudformation and two S3 buckets, its not worth it for me. -
ars140751yIt depends TM.
You can isolate through proper resource segmentation, but it will be easier to have separate accounts. If you want to make them share resources you will need to set up interaccount roles, but I can’t remember much about them. -
b2plane63951y@ars1 you said its easier to separate into new account per each project, is this the case of "the easier the better" or "if you choose the easy way you'll suffer later"?
-
Just bear in mind that there's a limit to how many accounts any person can have. It's ten I believe before requiring a quota increase.
-
ars140751y@b2plane I do not know your use case, but if for example these projects are all for different clients, absolutely go for different accounts every time. So “the easier the better”.
If it’s all different projects for the same company it gets harder, but I cannot say much. I never tried a multi account setup so I cannot say for sure that “you will pay for it later”, but I think it would be harder to manage. My experience tells me that the more complex setup will fuck you in the ass. I’d always go for a single account if possible, but separate accounts if different clients or if security per project is of upmost importance.
I think you should go through the white paper someone else posted. These kind of decisions are the ones I always discuss with clients, and I’m fully open about what I do not know and what the risks are for each solution. Or ask for more time to do research, they are usually happy to discuss.
if i want to use aws for a project, is it better to create a brand new aws account for each project or is it fine that i group them under 1 aws account (e.g. company name)?
rant