- 最新
- 最多得票
- 最多評論
Hi There
AWS multi-account strategy is the recommended approach which involves organizing your AWS resources across multiple AWS accounts to improve security, cost management, and resource isolation. By creating separate AWS accounts for different business units, environments (e.g., development, staging, production), or specific applications, you can achieve better access control and resource management. The multi-account approach enables you to apply centralized governance and policies, while also allowing for autonomous operations within individual accounts, leading to improved operational efficiency and security.
- I would recommend adopting AWS Organizations and IAM Identity Center for a single-signon solution rather than individual IAM users.
- You can create Sandbox accounts for devs to experiment in, and workload accounts for each environment with different sets of controls
- THis will work fine, you can deploy across accounts by assuming IAM roles
- Again this should not be a problem with cross-account IMA Roles
Take a look at the Multi-Account Strategy Whitepaper, and specifically, a starter org layout here: https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/basic-organization.html
相關內容
- 已提問 6 個月前
- AWS 官方已更新 2 年前
- AWS 官方已更新 3 年前
- AWS 官方已更新 2 年前
Thanks for your answer! A few follow-up questions:
Good question! AWS best practice is to avoid running workloads in the management account. See https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html
What I would do is:
Excellent advice. If I may ask one last question: currently we use Route 53 to manage per-developer and per environment domain names that point to the API Gateway e.g. prod.bigcorp.com, staging.bigcorp.com, developer1.bigcorp.com. This can be done without any per-developer console work today using the Serverless Framework Domain Manager plugin (https://www.serverless.com/plugins/serverless-domain-manager). If we have several accounts can they still share the same (root) domain and use an IaC solution like Serverless to have each account manage its own subdomain?
You can create the main hosted zone in a shared account and then delegate subdomains to the individual accounts. heres a good Medium Article that explains, and a Blog Post that explains how to automate this.