Seting up AWS for test/acc/prod environments

The best practice for setting up AWS for different environments is a multi-account setup. This article dives deep into the topic and uncovers the possibilities.

The setup in the article is comprehensive, perhaps an overkill for small dev teams. Here's a possible simpler solution:

  • An empty AWS account with dev's IAM users (we can call it root)
  • For each environment, a dedicated AWS account (we can call it env-account)
  • In each env-account, have an Admin IAM Role with full administration access to the environment. The IAM Role must have a Trust Relationship setup with the root AWS account, that is, the users of the root AWS account can assume the Admin Role.
  • A dev logs in to the root account and assumes a IAM Role of the selected env-accounts.

Billing could be consolidated using AWS Organizations. If more granular security is needed, different IAM Roles could be used.

(There's also another solution: each env and each dev having their own AWS accounts. Pros: each dev can play in AWS independently; cons: more involved initial setup)

Thanks to Bram and Daan for the discussion.