Title may be confusing, but have a listen.
client == project owner in this text, so it is not suspicious thing.
Lets say, I create an IAM account for the client in my main AWS account, and call it "zattirizort". So the client have an IAM account under my main account right now.
Clients IAM account (zattirizort) will include every service, Beanstalk, Route 53, whatever belonging to the backend application we are deploying. And every service that IAM account rents, main account will not pay it, IAM account will pay it.
I deployed a Docker container in Beanstalk? Punt the bill to client.
Someone send 300.000 traces in a month to X-Ray? Punt the bill to client.
For legal reasons, yes, client will be aware of punting the entire bill to them, and I will be responsible for any extra billing that I didnt mention.
So I need to cut myself from the middle somehow, if that IAM account (client) does not pay the monthly bill, AWS will come after the client, not me. Because I hate lawsuits, they scare me.
Can I do something like this in AWS services? I really love Beanstalk / EC2 / Cloudwatch services and don't want to leave AWS just because i am scared of lawsuits.
thanks!
So I have to create new account for each client? Cant I do like, one main account, and a dozen other accounts to manage clients
Short answer is "yes". Not sure what would be the definition of "main" and "other" account? If you are thinking using AWS Organizations, it would help in account creation process, but my understanding is, you will always have consolidated billing (ie single payer for all accounts) and you would have enter billing method plus resign account from org to get customer responsible for payments as you wanted. See https://aws.amazon.com/organizations/faqs/