AWS Multi-Account Architecture Best Practice

#1

For a developing company, I’m putting up a scalable AWS setup.

We are currently discussing whether to use AWS Organizations to manage numerous accounts or to keep everything in one account with separate VPCs.

Regarding security, cost distribution, and operational complexity, each strategy offers advantages and disadvantages.

Does anyone have any suggestions or practical knowledge on the optimal arrangement and why?

#2

This is a graphic design forum, but you’re asking a question most graphic designers will never encounter. If you’re a graphic designer, you’re probably better off seeking advice from a hosting forum (if one exists).

Take what I say with a grain of salt since my experience with AWS is limited to one or two projects. Whether to stick with AWS or use VPC within the environment depends, from my experience, on the nature and number of accounts.

VPC might seem simpler because all your different resources/projects are grouped into one single environment (the VPC). VPC is a viable choice when multiple accounts are similar, require similar environments, have similar security concerns, and aren’t expected to change drastically. In other words, it can work well for smaller, more unified environments where managing identity and access requirements are similar.

However, if the accounts are numerous and differ greatly, VPC can become problematic. For example, the “blast radius” (the potential damage) from system corruption, misconfigurations, or a security breach can easily compromise multiple accounts. In contrast, separate AWS environments isolate the accounts from each other. Additionally, some accounts might need to comply with significantly different security protocols that are difficult to implement within a VPC. The drawback, of course, is the increased complexity of managing separate AWS environments.

I might compare the differences in deciding between separate AWS accounts or using VPC within one AWS account to deciding whether to put all your eggs in one basket or spread them across multiple baskets. The idiom about not putting all your eggs in one basket mostly holds, but using multiple baskets presents its own problems.

If it were me, I’d lean towards straightforward, separate AWS environments unless you’re certain that VPC will do what you need and that you won’t outgrow it.