WABI Engineering
All Articles
AWS Multi-Account Strategy - why a single account won't cut it
5 min read

AWS Multi-Account Strategy - why a single account won't cut it

#architecture#security#cost-control#best-practices
Nicolai Lang

Nicolai Lang

AWS Serverless expert. Advises and supports teams in building scalable cloud architectures.

One AWS account, everything in it, up and running. In the beginning, that's perfectly fine. Move fast, deploy your first workloads, show results. Nobody needs a multi-account strategy on day one.

But day one doesn't last forever. Soon someone asks what production actually costs. At some point a developer grants themselves admin permissions because they couldn't delete a bucket or edit a policy. And maybe one day someone runs a load test in staging and the production Lambdas hit their concurrency limit - because everything shares the same account.

That's when it becomes obvious: one account isn't enough. The good news? With the right strategy, moving to a clean multi-account setup is straightforward - even if you're not starting from scratch.

Why a single account falls short

An AWS account is more than just a login. It's a security boundary, a billing unit and a frame for service quotas. When everything runs in one account, all workloads share these dimensions - and that's far from ideal.

Let's start with security. A compromised IAM user or a misconfigured role - the blast radius is huge. At the same time, developers need enough freedom to do their work without putting production at risk. Balancing that gets harder as the application and the team grow. Separate accounts solve this elegantly: developers get the freedom they need, and production stays protected - through hard boundaries rather than ever more complex IAM policies.

Closely related is cost transparency. Without account-level separation, it's difficult to attribute costs cleanly, spot anomalies and catch unexpected spend early. Cost allocation tags help to some degree, but they have limits and don't cover every service reliably. Dedicated accounts per workload or team make cost tracking and control much simpler.

One topic that often flies under the radar: service quotas. Every AWS account has limits - think Lambda concurrency or API Gateway request rates. Some can be increased, some can't - and when they can, it's neither instant nor guaranteed. Separate accounts give each workload its own set of quotas.

And finally, compliance. For audits, certifications or internal governance, you need a clear separation between production and non-production. With separate accounts that separation is built in

  • no need to construct it artificially.

What a clean org structure looks like

AWS Organizations is the foundation here, and the concept is simple: a management account at the root, organizational units (OUs) below it, and individual accounts inside the OUs. Sounds like a lot of overhead - but it really isn't, as long as you set it up right.

A pragmatic starting point is leaner than you'd expect: a Security OU for log archive, security tooling and everything related to auditing. A Production OU for production workloads and global resources like DNS or shared networking. And a Dev/Sandbox OU for development, experiments and non-production workloads. Three OUs, clear separation - and you can always add more structure later when the need arises.

The beauty of it: the overhead is minimal, the structure delivers real benefits and scales naturally. New accounts can be provisioned in minutes and are ready to go - and the separation of costs, permissions and risk is baked in from the start.

The right tools for the job

A multi-account strategy stands or falls with how you operate it. Creating accounts by hand, managing permissions manually, clicking policies together in the console - that doesn't scale. The good news: AWS provides the right services, and with proper tooling you can manage your entire org structure as code - versioned, reproducible and fully automatable.

IAM Identity Center (formerly AWS SSO) solves one of the most common problems: IAM user sprawl. Instead of maintaining separate users and credentials in every account, you get a single entry point. Team members sign in once and switch between accounts and roles - without ever touching an access key. If you already have an identity provider, you can plug it in via SAML or OpenID Connect.

Service Control Policies (SCPs) are guardrails at the organization level. They define the maximum permissions allowed in an account - regardless of what IAM rights a user has. Lock down certain regions, prevent CloudTrail deletion, restrict the root user in workload accounts - all centrally managed, all enforceable. Not a recommendation, but a hard boundary.

Org Formation is our go-to tool for landing zones. Where Control Tower doesn't offer enough flexibility, Org Formation gives us significantly more control: accounts, OUs, SCPs, Identity Center - all as infrastructure as code, versioned in Git, reproducible and deployable via CI/CD. The real kicker: new accounts can be pre-configured with resources and deployments right out of the gate - based on CloudFormation or CDK. A new workload account doesn't arrive empty. It comes with the essential baseline resources already in place.

Where to start

If you're running everything in a single account today, you don't have to flip a switch and change everything at once. The path to a multi-account structure isn't a big bang - you can take it step by step.

First, create the organization and build the foundational structure: security accounts, log archive, a clean OU hierarchy. Then set up IAM Identity Center and retire existing IAM users. After that, migrate workloads into their own accounts - new projects first, existing ones gradually.

Two things to keep in mind along the way. First, don't over-engineer it. Not every team needs five accounts from day one. Start lean and grow with your requirements. Second, define a tagging strategy early. Even in a multi-account world, tags remain important - for cost attribution, automation and compliance.

Wrapping up

A multi-account strategy might sound like a big undertaking - but with the right tools and a few smart choices, it's a solid foundation for scaling sustainably on AWS. The native AWS services are there and mature. With Organizations, Org Formation, Identity Center, SCPs and CloudTrail you can build a strong foundation and keep building on it piece by piece.

With a bit of experience and foresight, this works even in a live environment. If you'd like to talk it through, feel free to get in touch.

You might also like

Why Serverless Is the Only Architecture That Makes Sense

Why Serverless Is the Only Architecture That Makes Sense

A serverless-first architecture gives you maximum flexibility at every stage of your project. But does that come with high costs and complexity? This article takes an honest look at the strengths and weaknesses - and explains why serverless is the best foundation and what the serverless paradox is all about.

7 min read

Let's talk

Whether it's a new initiative, an urgent bottleneck, or a second opinion on your current architecture. A quick conversation will show how we can help.

Email

hello@wabi-tech.com

Book a call

Free intro call

LinkedIn

Nicolai Lang