Using multiple AWS accounts for personal projects
Explore AWS multi-account management and which approach makes sense when managing personal accounts.
Using multiple Amazon Web Services (AWS) accounts for personal projects or experiments offers several advantages over keeping all resources in a single account. A multi-account strategy allows you to segregate environments, streamline cost tracking, and maintain "throwaway" accounts for low-risk testing. The benefits of using multiple accounts, even for personal projects, are well-known among the AWS community, and I was curious to see how others implement their personal setups.
While there are benefits to multi-account setups, they can also make management more complex. At my workplace, we use AWS Organizations and AWS Control Tower to manage numerous accounts across a large organization with dedicated security, DevOps, and platform teams to support it. While lacking the resources of a large organization, I still wanted to switch from storing my resources in a single account to multiple accounts. I turned to X (Twitter) to gather insights from the wider community. In this post, I'll share some of the recommendations I received.
If you use AWS for personal projects, do you leverage AWS Organizations and Control Tower and have different accounts for specific purposes, or do you run everything in one account? I have been running everything in one account until now, but having accounts for specific purposes…
— Chris Ebert (@realchrisebert) April 5, 2024
AWS Organizations
AWS Organizations is a free service designed to help with account management. It consolidates various AWS accounts under a single management account, facilitating centralized billing, compliance, and security management. AWS Organizations is the best way to start if you want multiple AWS accounts. Another perk of Organizations is that each account gets its own AWS free tier, which could help lower your AWS spend.
For detailed guidance on setting up and configuring AWS Organizations, please refer to the official AWS Organizations documentation. Once you have an AWS Organization configured, you'll need to choose an account creation and management approach that best suits your needs.
AWS Control Tower
AWS Control Tower works in conjunction with AWS Organizations to streamline the setup and governance of multiple organizational accounts. Leveraging Control Tower is widely regarded as a best practice for enterprises, particularly in highly regulated industries, due to its detailed governance features. However, for personal use, the complexities and potential costs associated with AWS Control Tower might outweigh its benefits.
Teri Radichel, a Cyber Security Architect and AWS Security Hero, provides valuable insights on setting up AWS Control Tower and AWS Organizations securely in her blog posts, which can be found here. While her insights and guidelines are great for larger organizations, the complexities involved may not be required for smaller non-production environments. Teri's extensive work convinced me that I am not up for this complexity when managing my personal accounts.
Control Tower Alternatives
When I sought input from others on this topic online, Danny Santiago mentioned an open-source project he started called Telophase. Telophase is described as an "Open Source Control Tower." This tool facilitates importing, creating, and deleting AWS organization accounts using code. I have limited experience with this tool, but I downloaded it and could import my AWS organization accounts, create new accounts, and delete existing accounts. I have yet to use any advanced features, such as assigning IaC blueprints to accounts. Read the Get Started with Telophase documentation if this project interests you. To use Telophase, you'll need a basic understanding of Go package management and Terraform. With enough community support, this OSS project proposes eventually building a web management interface to facilitate even easier account management, making this project even more interesting. I plan on using Telophase to create "burner" AWS test accounts that I can easily destroy later.
Conclusion
After reviewing guidance from various sources, I've determined that AWS Control Tower's complexity does not justify its use for my personal needs. My needs only require managing a few accounts, focusing primarily on serverless services with restricted privileges. I've prioritized setting up two-factor authentication 2FA, AWS SSO, billing alarms, and limiting the use of the AWS root account. This approach keeps my setup simple and focused on learning and prototyping with AWS services without the overhead of more complex configurations.
If you have additional thoughts or suggestions on this topic, feel free to add a comment or start your own conversation or blog.