Seting up AWS for test/acc/prod environments
The best practice for setting up AWS for different environments is a multi-account setup. This article dives deep into the topic and uncovers the possibilities.
The setup in the article is comprehensive, perhaps an overkill for small dev teams. Here's a possible simpler solution:
- An empty AWS account with dev's IAM users (we can call it root)
- For each environment, a dedicated AWS account (we can call it env-account)
- In each env-account, have an Admin IAM Role with full administration access to the environment. The IAM Role must have a Trust Relationship setup with the root AWS account, that is, the users of the root AWS account can assume the Admin Role.
- A dev logs in to the root account and assumes a IAM Role of the selected env-accounts.
Billing could be consolidated using AWS Organizations. If more granular security is needed, different IAM Roles could be used.
(There's also another solution: each env and each dev having their own AWS accounts. Pros: each dev can play in AWS independently; cons: more involved initial setup)
Thanks to Bram and Daan for the discussion.
- Update 2021/08: Found a guide on creating least privilege IAM roles for serverless apps
This blog is written by Marcel Krcah, an independent consultant for product-oriented software engineering. If you like what you read, sign up for my newsletter