I've noticed that a lot of organizations set up distinct AWS accounts for different stages of their applications, like having one account for development and another for production. While I understand the appeal of isolating environments to prevent potential mishaps, managing resources across multiple accounts can feel cumbersome. Especially when AWS Control Tower is involved, it seems like overseeing numerous accounts could become quite complex. Is there any chance AWS might introduce a feature for isolated environments within a single account to make life easier?
4 Answers
Having separate AWS accounts for each app stage isn't an anti-pattern—it's actually recommended practice. Separate accounts work as permission boundaries and limit the potential blast radius of issues. Companies should build solid foundations that support this type of organization with tools like AWS Control Tower.
I started transitioning to this setup for my stack with 20 microservices. We created multiple accounts for different stages, but honestly, I regret going that granular. It complicates things too much, like VPC and ALB costs, and disaster recovery becomes a headache.
If you're using Infrastructure as Code (IaC), managing across different accounts becomes a breeze since you can point to the right account ID and name your resources appropriately based on the environment. As to whether AWS will ever create a single-account solution for isolated environments, it’s tough to imagine how that’d differ from the existing multi-account model we already use.
Exactly! It's comparable to working with separate accounts under a different interface. Plus, having isolated accounts really boosts security by reducing the risk of human error affecting production.
I share your skepticism. It seems like AWS has already solved this problem with how accounts work now.
Managing multiple environments within a single account can get chaotic, especially when it comes to resource traffic and shared services. While it’s definitely possible, having separate accounts helps prevent any accidental crossovers between environments—like mistakenly modifying production when you mean to adjust something in dev.
One practical downside to having multiple accounts is the cost that accumulates, particularly for compliance and monitoring tools. It’s a trade-off. While isolation might be necessary for security, it’s essential to weigh it against the extra costs and management overhead involved.
We’re using separate accounts for each project and stage as well. We even have an AWS account for every GitHub branch, except feature branches share their environments.