Considered to be the best practices in AWS, one of the most popular ways to maximize AWS’s potential is to utilize multiple accounts.

An account enables you to run multiple workloads and draw a line on three crucial aspects:

• Billing and Cost Management
• Identity and Access Management
• Limit Resources and API Request Management

Firstly, AWS encouraged creating multiple accounts, developed Consolidated billing to group all the billings of an AWS environment.

Then, in 2017, it introduced AWS Organization.

If we focus on IAM and access management, with Organization, AWS SSO has come as a gamechanger for a large number of situations.

Anyway, there are many circumstances where applying this kind of structure doesn’t fit the needs, for example:

• Large Companies, where the Identity Provider is locked up in many sub-companies: as the company grows, or if a company with his Identity Provider got acquired into another, unifying access in a single point can be significant pain.
• Consulting partners: If you are a consulting partner, you probably have to isolate Organizations for each customer you have, which can’t be done with a single organization and a single AWS SSO. Moreover, in the case of reselling, centralized billing and reserved instances at the organization level doesn’t work, too.
• More than 50 accounts Organizations: the need of getting isolation for the workflows through accounts is difficult to achieve, and the danger of a blast radius in case of breaches is enormous.

#aws #sso #iam