top | item 31963247

(no title)

Frajedo | 3 years ago

We give each one of our developers their very own aws account managed through AWS organizations service. They are full administrators and responsible for resources and cost.

So far we haven’t had any issues or bad surprises, although we have setup some aws billing alerts just in case.

Feel free to make them responsible for cost and resources and you’ll be surprised how well they can manage their own account.

discuss

101008|3 years ago

> Feel free to make them responsible for cost and resources and you’ll be surprised how well they can manage their own account.

Wow, this is horrible. I understand responsability but this is too much. Are other employees responsible if the company loses money for their actions?

nouveaux|3 years ago

It is quite common to have budgets employees have to work with.

imwillofficial|3 years ago

Ever had a company credit card?

cube00|3 years ago

I suspect it's more the individuals would be warned and re-trained if they didn't keep their costs under control (usually it's done at the team level) rather then having actual financial responsibility.

Frajedo|3 years ago

Not sure what the problem is, if anybody exceeds the expected « normal usage » we simply get in touch and fix the issue.

Lessons learned for everybody, it’s a win-win situation.

devonkim|3 years ago

I think it really depends upon a number of factors but even pretty smart people can make stupid mistakes, especially when it comes to security in AWS. I’m familiar with several cases where engineers fired up old AMIs and got the instances compromised within an hour because they were running old, vulnerable software and ran it in a publicly routable subnet. There’s some basic rules to follow that can help avoid issues like those though that as organizations scale need to enforce to a greater degree eventually. Disallowing provisioning their own VPCs, disallowing publicly routed subnets, and establishing some decent auth infrastructure is all a good start that will work for a long time and have minimal friction for users. I’m a strong believer in security as a UX problem where doing the Right Thing should be easier than doing the Lazy / Bad Thing so I feel if people are having issues doing things the right way I’ve messed up and need to improve usability and meet my users where they are to achieve my own goals of a secured infrastructure.

Giving people responsibility and autonomy also comes with some responsibilities by the providers in a shared responsibility model is all I’m saying and every policy works out fine until it doesn’t.

vageli|3 years ago

> We give each one of our developers their very own aws account managed through AWS organizations service. They are full administrators and responsible for resources and cost.

How many developers work at your organization?

Frajedo|3 years ago

25 at the moment :)

cure|3 years ago

> although we have setup some aws billing alerts just in case.

My experience with these has been decidedly mixed. As in, you define them and never, ever see an alert.

unknown|3 years ago

[deleted]

Frajedo|3 years ago

Hmmm, weird.

We always get the alerts in time with thresholds set to 70% of the wished value.

thayne|3 years ago

I'm more worried about someone inexperienced with AWS accidentally doing something really expensive than any kind of intentional abuse.

Frajedo|3 years ago

If you make a mistake with excessive resources allocation, you can get in touch with aws and ask for a refund and they will gladly do so.

I’ve had to do it a couple of times for personal and profesional accounts, and I’ve never had any rejections from them