Reputation: 169
what's the drawback of using same AWS account in different environments with different VPC?
What are the drawbacks of deploying 3 environments (DEV, QA, and Production) under the same AWS account, in different VPC IP tables.
To me it makes sense, if the same team will need to manage 3 different environments.
I've heard people saying that one should use separate accounts for development and production, but does that mean to use completely different environments and that they should have different console login links?
Please advise. Thanks!!
Upvotes: 3
Views: 2299
Answers (3)
Reputation: 19748
Generally, it is recommended to separate the production environment from the rest. For this, you can create a separate AWS account to deployment. The main reason for this is the isolation of the production account from the rest so that both for security as well as more managed control over it.
The problem in having one AWS account for multiple stages (Dev, QA, and Production) is that it is difficult to completely isolate environments only using IAM permissions. Even if its the same team, separating production account from the rest allow them to build confidence in using the other accounts(Dev and QA) without any hesitation. This also reduces the production issues happening by mistakes (Specially when using many AWS services for the application).
To centralize the billing and reduce the management complexities of multiple AWS accounts, you can use AWS organizations.
Upvotes: 2
Reputation: 78803
You can make both ideas work (single account with multiple environments, or multiple accounts with one environment per account) and both have advantages and disadvantages.
If you run multiple environments in the same account:
- your AWS account limits are more easily reached
- a runaway dev script could impact production's ability to scale up
- loss of credentials endangers all of your environments
- developers could accidentally damage production
I think it's also simpler to separate production costs from other costs if you use multiple accounts and consolidated billing.
Setting up cross-account access is simple, if you need it.
Upvotes: 2
Reputation: 3259
It's not separate AWS accounts but organizations.
Please read here https://aws.amazon.com/organizations/ .
Yes, each org will have its own console login link.
Using different VPC in same, for separate dev/qa/prod envs, you need to deal with different names for S3 buckets and DynamoDb tables as these doesn't support VPC segregation.
[Bonus]: One org costs around $100 per month :)
Upvotes: 0
Related Questions
- AWS: Is it good practice to have webapp and DB instance in same VPC
- Do two AWS accounts created in the same region share the same VPC?
- Advantages of using multiple AWS accounts
- Is there any security risk using AWS account alias?
- AWS VPC per environment, or single VPC with multiple subnets for different environments?
- What if I migrate an AWS standalone account to Organizations?
- AWS Access environments in different Organizations using the same account
- Advantages of creating ECS cluster inside a VPC
- How aws accounts are differentiated?
- Why is cross-account access for AWS safer?