Having one account per database/backend/frontend is not only overkill, but actually a bad practice. You're going to have to expose your DB to the internet instead of having everything inside a single VPC.
What you should do instead is have one account per environment (as you said).
I do this. Technically you share the subnets. It's a fantastic pattern and enables greater autonomy for application teams. They're given an AWS account per app environment (e.g. WidgetApp Test, WidgetApp Prod, etc) and are able to build their stuff and attach it to existing subnets without a care about 'how' it communicates with the Internet or the greater organization.
It's a great idea if you know how manage it. This is current recommended practice for corporate. Single Network account that interconnects everything and dishes out subnets to other accounts for use exclusively by them.
That said, I still think it's overkill and doesn't bring any real benefit? Sure you're reducing the blast radius of a security breach, but are the overcomplications worth it? Also, you now have to manage multiple accounts with multiple policies and users / roles, won't that extra complexity actually increase the attack surface?
> Having one account per database/backend/frontend is not only overkill, but actually a bad practice.
That's how AWS works internally. A team can easily have several hundred accounts: one for each region, and for each env.
You absolutely need tools to manage them, and AWS is not great in this regard. IAM Identity Center is a good first step, but its usability sucks compared to the AWS internal tool (called "Isengard").
> You're going to have to expose your DB to the internet instead of having everything inside a single VPC.
There are several ways to NOT do this. The easiest one is to use IPv6 with your own block (you can get it from ARIN for around $100). Then split it into "public" and "private" subnets, and install a network ACL prohibiting external connections into the private subnet.
We use peered VPCs at work. We have a central account per environment that has the VPC that's shared to all the other accounts in that environment for databases etc.
To be honest, I'd probably prefer a single account per environment. But managing the IAM for that would be much more work.
tenplusfive|1 year ago
I'm honestly not sure if thats a great idea, but this might be a possible way to do one account per DB/backend/frontend in a somewhat sane way.
thedougd|1 year ago
lijok|1 year ago
LilBytes|1 year ago
Generally I'd stick to accounts per environment, you'll be worrying about a lot more when you get to FAANG scale.
shakiXBT|1 year ago
That said, I still think it's overkill and doesn't bring any real benefit? Sure you're reducing the blast radius of a security breach, but are the overcomplications worth it? Also, you now have to manage multiple accounts with multiple policies and users / roles, won't that extra complexity actually increase the attack surface?
cyberax|1 year ago
That's how AWS works internally. A team can easily have several hundred accounts: one for each region, and for each env.
You absolutely need tools to manage them, and AWS is not great in this regard. IAM Identity Center is a good first step, but its usability sucks compared to the AWS internal tool (called "Isengard").
> You're going to have to expose your DB to the internet instead of having everything inside a single VPC.
There are several ways to NOT do this. The easiest one is to use IPv6 with your own block (you can get it from ARIN for around $100). Then split it into "public" and "private" subnets, and install a network ACL prohibiting external connections into the private subnet.
Hikikomori|1 year ago
chippiewill|1 year ago
To be honest, I'd probably prefer a single account per environment. But managing the IAM for that would be much more work.
kroolik|1 year ago
dilyevsky|1 year ago