Navigating Single vs. Multiple AWS Accounts for Optimal Cloud Management
There are pros and cons to having multiple AWS — or any public cloud — accounts.
When it comes to cloud computing accounts, more is better — at least sometimes. Other times, it makes most sense to stick with just one or a few accounts.
To explain how to choose the right number of accounts for a cloud environment, let's explore how accounts work, the pros and cons of multiple accounts, and why it may or may not make sense to adopt a multi-account strategy.
We'll focus specifically on Amazon Web Services, which remains the most widely used public cloud. However, the guidance below applies generally to any cloud (although as we explain, it's important to understand that cloud accounts function somewhat differently on different clouds).
What Is an AWS Account?
An AWS account is a virtual identity that AWS assigns to customers, giving them the right to create and manage AWS resources. Or, as AWS defines it, an account is a "container for all the AWS resources you create as an AWS customer."
AWS uses the term "container" in this context to mean that accounts are self-contained identities. Resources managed by one account can't be controlled or viewed by other accounts. In that respect, an account creates a virtual boundary that isolates your cloud resources.
Accounts vs. Users vs. Organizational Units
Importantly, an account in AWS is distinct from other types of identities that you can define. Specifically, an account is different from:
Users: A user is an identity that you can assign to a specific person. You configure users on AWS using the AWS Identity and Access Management (IAM) framework. Multiple users can share under the same account, although you can also create separate accounts for each user if you wish.
Organizational units: An organization unit, or OU, is a group of AWS accounts. You can define policies at the OU level that apply to all accounts managed through that OU. Typically, a single business would establish just one OU, although it's possible to create multiple OUs for your company if you wish.
Single vs. Multiple AWS Accounts: How to Choose
If your business uses AWS, you can opt to create just one account that all users within your organization share. Or you can set up multiple accounts — an approach known as a multi-account strategy (not to be confused with a multi-cloud strategy, which means something different).
AWS leaves it up to customers to decide how many accounts to create; there are no rules requiring you to set up a certain number of accounts, regardless of the scale at which you operate or which types of cloud services you use. (AWS does impose a limit of 5,000 total users per account by default, although you can request additional users under a single account if you somehow find yourself with more than 5,000 users who want to share an account.)
So, how do you choose? There's no simple answer, but consider the following common scenarios for establishing how many AWS accounts to use:
One account per business: If your cloud needs are relatively small scale — if you deploy just a few apps, for example, or have a small number of engineers who need to access the cloud — it's simplest to set up just one account that is shared by everyone in your business. This approach also ensures that everyone can easily share cloud resources; for example, if one user wants to help manage an app deployed by another user, they can easily do so in a single-account setup (provided the right IAM permissions are in place).
One account per department or team: If you have multiple departments or sets of users using your cloud platform, it often makes sense to establish a separate account for each one. Users on the same team typically work within the same environment but do not often have a reason to manage resources owned by other teams.
One account per workload: For workloads that require strict isolation from other workloads, you can configure separate accounts. Note, however, that it's also possible to enforce pretty strict boundaries between workloads using IAM policies, so you don't necessarily need multiple accounts if workload isolation is a priority.
One account per environment type: Some businesses set up separate accounts for different types of environments — one for dev/testing and one for production, for example.
One account per user: If each user in your organization is doing something unique in the cloud and rarely or never needs to interact with cloud resources managed by other users, it can make sense to configure a separate account for every user. However, that approach is relatively uncommon.
The bottom line here is that there are no hard-and-fast rules about how many AWS accounts to set up. You'll have to consider the needs and priorities of your business, teams, and users to make the right choice.
Multiple OUs in AWS
Tangentially, it's worth noting that (as mentioned above) it's possible to set up more than one organizational unit in AWS if you wish, then manage one or more accounts within each OU. This is a rare practice because accounts are granular enough that you can set different rules and policies for different accounts within the same OU, so functionally speaking, there is not a great reason to configure more than one OU. You can also manage bills for multiple accounts through a central AWS organization.
However, for very large businesses that include distinct units, having more than one OU sometimes makes sense. For example, if your company has gone through a merger or acquisition, it may retain separate OUs, one for each of the original organizations that formed the new entity.
Multiple Accounts on Clouds Other Than AWS
The same logic laid out above about separating (or not separating) sets of users or teams at the account level applies to other public clouds. However, because the organizational hierarchies and terminology used by other clouds are a bit different, you'll need to adjust your account management strategy slightly if you're working outside of AWS.
For example, on Azure, a "subscription" is more or less the equivalent of an AWS account (there are some nuanced differences between AWS accounts and Azure subscriptions that are beyond the scope of this article). And on Google Cloud Platform (GCP), the term "service account" refers to accounts created for machine users, which is a distinct concept from AWS accounts.
You'll want to make sure you understand the concepts and terms that your cloud provider uses to manage accounts before making decisions about how many accounts to use.
Conclusion
There are pros and cons to having more than one account in AWS or any public cloud. Multiple accounts can provide tighter isolation between teams and workloads, but they also increase complexity and make it harder to share resources in some cases.
About the Author
You May Also Like