Last week, I launched a new pipeline for Klayers to build Python3.8 Lambda layers in addition to Python3.7. For this, I needed a separate pipeline because not only is it a new runtime, but under the hood this Lambda uses a new Operating System (Amazon Linux 2 vs. Amazon Linux 1)
So I took the opportunity to make things right from an account hierarchy perspective. Klayers for Python3.7 lived in it’s own separate account from all my other hobby projects on AWS — but I kept all stages in it (default, dev and production). [note:Default is an odd-name, but it ties to the Terraform nomenclature]. This afforded some flexibility, but the account felt bloated from the weight of the different deployments — even though they existed in different regions.
It made no sense to have default and dev on the same account as production — especially since accounts were free. Having entirely separate accounts for prod & non-prod incurred no cost, and came with the benefit of additional free-tiers and tidier accounts with fewer resources in them — but the benefits don’t stop there.
Multi-accounts allowed me additional security controls through Service Control Policies (SCP) via AWS Organizations. Which keeps a nice tight lid on everything. For example, all accounts in Klayers have an SCP that prevents any EC2, EKS, ECR, Fargate and Route53 activities. This helps to limit the effect of any compromise on those accounts — no bitcoin mining here if I lose the key!
That being said, once you put the accounts in organizations, they share the free tier across the account — so balance it out!
So whey don’t people do this more often?
One major drawback of creating this multiple accounts is managing them — if you kill an AWS account — you’ll permanently kill the email associated with it as well. To avoid this, I use a lesser known feature on Gmail (and Google Apps) to create an infinite number of email accounts tied to a single ‘real account’.
Unlimited Gmail Accounts
You can a ‘+’ anywhere between your username and @ sign to get a new email address that requires zero additional effort on Gmail to setup. For example
All send their emails to the same email address ([email protected])
This way, I only need to create AWS accounts, and not have to create additional email accounts to support them. This make sense in ‘real’ organizations where there a multiple folks with actual different email addresses — but could work for individual projects like Klayers, using this ‘+’ email addresses to simulate those different people.
There is still manual effort in setting up the accounts (generally 5-10 minutes), and then creating the API keys necessary to deploy — but this is a one-time thing. I also have to replicate some manual work, like enabling ap-east-1 and me-south-1 on the accounts, as these regions are activated by default — but again a one time thing.
Overall the mixture of AWS Organizations capability, and Gmails ‘+’ addresses allow even one-person projects like Klayers to benefit for a better hierarchy of accounts, resulting in far tidier and simpler account management.
Last note, both Terraform and Serverless Framework support multiple accounts on a single machine. Simply configure your ~/.aws/credentials file for multiple profiles, and then point both them using the provider->profile variable to the correct AWS profile as setup in the credentials file.
Final bit, is that sometimes we have to resort to quick n’ dirty solutions which require us to copy paste stuff using the AWS Console — I’ll be honest, using the console for anything other than view only feels wrong to me, but sometimes we gotta do it. When we have multiple accounts on AWS, trying to copy and paste stuff across them is a pain — but a useful feature baked into Firefox comes in handy. Using firefox containers, we’re able to have a single Browser instance open, that access multiple aws accounts, each with their own tab nicely color-coded for you.