We have a number of clients that have infrastructure we manage on AWS. Sometimes it is servers and databases. Sometimes it is a cloudfront distribution and s3 buckets. Sometimes it is something totally different.
We’ve moved from having everything intermixed to creating a new AWS account for every client. This has pluses and minuses.
- The amount of money spent on AWS for each client is crystal clear (thanks consolidated billing!).
- The clients assets are separate from any other asset, and that isolation level reduces risk (“I thought I was shutting down server A but accidentally shut down server B” are words you never want to hear).
- Access is more granular. While you can lock things down with IAM and tags, it’s much simpler and more bulletproof to say “this entire account is client X, and this other account is account Y”. You can also lock down access for team members.
- You can grant access to the client without worrying about IAM policies. This is a corollary of the point just above.
- Transferring the assets to a client is easier, should they depart.
What are the negatives of having separate AWS accounts for each client?
- More complicated to set up at the beginning. You have to learn how to use AWS Organizations.
- You have to either create roles or users for all folks who need to access the client account. (And if you use users, you have to have some way of revoking access across multiple environments.)
All in all, setting up separate AWS accounts for each client is well worth the small amount of additional hassle.