- Newest
- Most votes
- Most comments
As you mentioned, limiting the security scope (blast radius as you call it) is a driving factor for many customers to use multiple accounts. Customers commonly separate production, sandbox, staging etc. into separate accounts. Large organizations often separate business units into separate accounts too for billing and security. Access management is simplified in a multi-account scenario as you only allow access by need instead of having to be extremely diligent about policy rights to various resources in a single account. Also, some regulatory requirements mandate separate accounts for production and development. There are also account quotas that larger customers would bump up against if using a single account.
AWS Organization allows customers to consolidate billing for multiple AWS accounts and optionally manage those accounts centrally. There are many tasks that customers has to perform to ensure the baseline e.g. security guardrail, is implemented correctly. Many customers are asking for AWS guidance to help them ensure their AWS environments meet those requirements. The AWS Well-Architected Management and Governance Cloud Environment Guide (M&G Guide) provides clear guidance for customer to follow. Beyond AWS Organization, M&G Guide it introduce AWS Control Tower to provision a landing zone embedded with controls. You may want to look at the guide at: https://docs.aws.amazon.com/wellarchitected/latest/management-and-governance-guide/management-and-governance-cloud-environment-guide.html
Question is not why or How to use AWS Organization ? But why at all to have multi-accounts in first place, if required functions can be achieved in a single account itself
For example, if a large company was using a single account and they had many Lambda functions they could easily run into the maximum number of concurrent Lambda executions. Splitting that across multiple accounts allows for a higher aggregate limit.
Relevant content
- Accepted Answerasked 6 months ago
- asked 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 3 years ago
"Also, some regulatory requirements mandate separate accounts for production and development." what ??? " There are also account quotas that larger customers would bump up against if using a single account" ?? Like What - may be more specified