Should I use one account or multiple accounts?
I have a single account right now that has my development and production deployments in it (Load Balancer + ECS Fargate + Postgres RDS), and they are separated in different VPCs and share no resources.
Should I keep building down this path, or is it a better idea to split my deployment into multiple AWS accounts? What are the pros and cons of each scenario? It is currently only two people building in this account, but likely will grow to be many more.
- Newest
- Most votes
- Most comments
We generally would recommend you to split your account and leverage multi-account strategy if you have both dev/QA and prod deployment.
This is especially true if you have sensitive workload with critical data, and have a team of developers that you want to have proper access control.
While there is no golden rule here, I generally would say if your monthly spent is more than 1k, you should seriously consider using multi-account.
+ Setup account level (strongest) boundaries for your Dev and Prod workload, reduce blast radius of a bad deployment and compromised account.
+ Ability to apply policies to each account if using AWS Organizations.
+ Federate access to each account for multiple developers and ability to impost strongest protection preventing changes to production environment
- You do need to share resources maybe in the future, there might be a slight administrative overhead of configuring that, and a small cost for let's say a Transit Gateway or VPC peering or data transfer etc
- You might want to aggregate logs like CloudTrail etc, and potentially cost a little bit more. And some setup using Organizations and/or Control Tower is strongly recommended
- If you want to have a CI/CD pipeline, special consideration is needed to have cross account role for deployments. Pretty easy to do, but not as easy as one account. Also for things like Identity Federation you do have to create and apply roles to each account (AWS SSO can help)
Single account building is great for ease of use and management, especially for smaller teams. If you split the accounts, you minimize risk of inadvertently impacting your production environment. You'll also be able to easily differentiate billing between your development and production workloads. If you're diligent about leveraging tagging, you can achieve a similar cost breakdown outcome in a single account.
+1 to this and all mentioned in the accepted answer. Also, by splitting accounts by workloads AND teams, you reduce the risk of hitting service quotas earlier than expected.
Spending some time upfront to create an Admin account to control an Organization and then under that organization Dev, Stage and Prod will make things easier down the road. For small teams the extra overhead can seem like a waste of time but in the long run you are setting up a good foundation to build on.
Relevant content
- asked 2 years ago
- asked a year ago
AWS OFFICIALUpdated 16 days ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago
I agree with this. I would only add that it's important to NOT use the root account to run workloads in. Instead you should create separate accounts for your workloads. This is becoming more of a common practice here at AWS and is encouraged.