Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

We keep dev/staging/prod in different accounts, and we host some special environments for customers which is in separate accounts as well.

The only reason you want to do these things is for security and liability purposes. They are not an advantage for organizing things, but rather they protect against accidental resource deletion and unauthorized / unintended access.

It’s cumbersome to manage many accounts, but that’s a feature, not a bug: it’s intended to be difficult to switch between accounts, so that you can’t accidentally fat finger the wrong button.



They don't really though because in the several systems I've seen configured like that, the same staff have access to all accounts. Accidental deletion and unauthorized access should not be a possibility via policy rather than isolation, because if the former isn't done then the latter will not help. If the client demands it, sure, but charge them for the inconvenience.

The main risk is hitting resource limits which is why I would and do give development teams their own account to cause mayhem in.


The places I've worked just control that with SSO and groups in their auth system. Much easier to make a group in your auth software than try to create multiple permission boundaries in the same AWS account. It also makes cost allocation much easier (you don't need complicated tagging policies everywhere)


Security in layers.

Infrastructure as code.

Easier for you, easier for the black hatters.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: