Why an AWS Multi-Account Strategy Matters
Dec 12th, 2023A multi-account architecture means splitting your AWS workloads across several accounts instead of running everything in one. This post explains why I think it’s worth the extra setup cost.
What it looks like
A simple split:
- Production: the live, customer-facing workload.
- Development: a sandbox where engineers can break things without touching prod.
- Security: central account for security tooling and cross-account monitoring.
- Audit: stores logs and audit trails for compliance.
What you get
Security isolation. A compromise in one account stays in that account. Blast radius shrinks to whatever lived in the breached account, not your whole infrastructure.
Clear billing. Each account has its own bill. You stop guessing which team or environment is burning money.
Compliance and audit. You can apply different policies per account, which makes audits easier when regulatory scope differs between workloads.
Operational policies per account. You can enforce different SCPs, IAM boundaries, and tooling per account rather than bolting workload-specific rules onto a single shared account.
Use Terraform to manage them
Managing multiple accounts by hand quickly becomes unmanageable. I use Terraform with one root module per account (or per environment) and shared modules for common resources. This keeps account setup reproducible and reviewable.
The main thing Terraform buys you here is cross-account consistency: the same VPC layout, IAM baselines, and logging config across all accounts, defined once.
What it costs you
It’s more complex than a single account. You need:
- Cross-account access patterns (typically AWS SSO + role assumption).
- A consistent IAM baseline so engineers don’t need a different setup per account.
- Some way to share resources you don’t want to duplicate (KMS keys, Route53 zones, etc.).
- Team comfort with Terraform.
For a small project this is overkill. For anything with production data, customers, or compliance requirements, the isolation pays for itself the first time something goes wrong.
The AWS whitepaper Organizing Your AWS Environment Using Multiple Accounts is a good reference if you want to go deeper.