AWS Accounts

An AWS account not only serves as a security boundary but also as a container for resources, enabling you to design and implement multi-account strategies for isolation, cost tracking, and resource management while leveraging AWS Organizations for central governance, consolidated billing, and applying service control policies (SCPs) to enforce compliance and best practices across the accounts within your organization.

Isolation allows you to limit the “blast radius” of any potential damage caused by an error such as deleting or changing resources. It’s far easier to know which environment you are working within (PROD or STAGE) if you use separate accounts rather than simply naming resources or tags for example.

Securing access to resources and data based on account is easier to manage and audit. It’s good practice for users to have a single account and then grant/deny access to systems based on the security boundary of the system. Using multiple accounts allows you to easier manage access in this way.

Managing and budgeting resources at the account level is easier as you can more easily identify the resources in a particular account are all assigned to the same cost center rather than having to go the resource level and then sum the values.