Should I use one account or multiple accounts?
I have a single account right now that has my development and production deployments in it (Load Balancer + ECS Fargate + Postgres RDS), and they are separated in different VPCs and share no resources.
Should I keep building down this path, or is it a better idea to split my deployment into multiple AWS accounts? What are the pros and cons of each scenario? It is currently only two people building in this account, but likely will grow to be many more.
We generally would recommend you to split your account and leverage multi-account strategy if you have both dev/QA and prod deployment.
This is especially true if you have sensitive workload with critical data, and have a team of developers that you want to have proper access control.
While there is no golden rule here, I generally would say if your monthly spent is more than 1k, you should seriously consider using multi-account.
+ Setup account level (strongest) boundaries for your Dev and Prod workload, reduce blast radius of a bad deployment and compromised account.
+ Ability to apply policies to each account if using AWS Organizations.
+ Federate access to each account for multiple developers and ability to impost strongest protection preventing changes to production environment
- You do need to share resources maybe in the future, there might be a slight administrative overhead of configuring that, and a small cost for let's say a Transit Gateway or VPC peering or data transfer etc
- You might want to aggregate logs like CloudTrail etc, and potentially cost a little bit more. And some setup using Organizations and/or Control Tower is strongly recommended
- If you want to have a CI/CD pipeline, special consideration is needed to have cross account role for deployments. Pretty easy to do, but not as easy as one account. Also for things like Identity Federation you do have to create and apply roles to each account (AWS SSO can help)
Single account building is great for ease of use and management, especially for smaller teams. If you split the accounts, you minimize risk of inadvertently impacting your production environment. You'll also be able to easily differentiate billing between your development and production workloads. If you're diligent about leveraging tagging, you can achieve a similar cost breakdown outcome in a single account.
+1 to this and all mentioned in the accepted answer. Also, by splitting accounts by workloads AND teams, you reduce the risk of hitting service quotas earlier than expected.
Relevant questions
re:Post login issues
asked 5 months agoI don't see the instances and I don't see anything AWSAccount1 created in my AWS account.
asked 2 months agoShould I use one account or multiple accounts?
Accepted Answerasked 3 months agoHow to manage ECS Clusters across accounts?
asked 5 months agoAWS SSO - what OU/account to use?
asked 4 days agoAppConfig and Multiple Accounts
asked 4 months agoAWS Organization account has consolidated billing but got multiple invoices?
asked 25 days agoUse RDS Postgres Replicas as a cluster
Accepted Answerasked 4 months agoWhat is the right setup for development for a team who works on the same project?
Accepted Answerasked 2 months agoMy student credit expired before it is due. How can I reactivate it?
asked 5 months ago
I agree with this. I would only add that it's important to NOT use the root account to run workloads in. Instead you should create separate accounts for your workloads. This is becoming more of a common practice here at AWS and is encouraged.