Why to create different AWS accounts?

Why to create different AWS accounts?

This is usually a best practice within organizations. In a nutshell, that allows resource isolation. You can say: "That could be achieved by setting different VPCs!", that is right. Anyways, this increases the isolation and gives more granularity to the permissions of who can do what in each account.

For example. We could grant flexible permissions to QA and Developers to the accounts that belong to the Dev environment. But we want to restrict that to the upper environments (Stage and Prod).

Besides that. We don't want the applications to talk to the resources they don't need to. I'm not talking only about environments, but we could create different accounts for different Business units. For example, we don't need the e-commerce team accounts to talk to the marketing accounts if that's not required.

Some times no need for an extra security layer for some accounts, that is not required for all of them. That's yet another reason for creating different accounts.

Another reason to create several accounts is that is easy and has no extra cost. Okay, Sergio..., I'm in, What is the downside of creating several accounts? Probably the complexity of managing them and the complexity of Billing and Cost allocation. That's a whole different topic that can be covered in another article.

How can I create one?

The only thing you need is to have an AWS account with access to the root account. Besides that, you will need an email, specific to that account.

The first step is to have an organization configured in https://us-east-1.console.aws.amazon.com/organizations/v2/home/ (depending the region you are working on. This is an easy article that goes through that process. Is simple. It will create a Root organization unit, which will be the parent of further organization units you create.

Please check: https://repost.aws/knowledge-center/get-started-organizations

Once you have Organization Enabled and a Root organization Unit. You can create your second AWS account as follows:

Click on "Add AWS account":

Just add the account name and the email address associated with that account. Leave the IAM role name as the default for now. Is very important for the Email address of the account's owner to be unique! Otherwise, it will fail and you'll not notice.

Here is an example of a notification for a failed AWS request creation due to a duplicated email address:

If everything goes right. You will have your second AWS account created within a couple of minutes:

That's great! How can I access that account now? I'll cover that in the next article of this Series (AWS from Scratch). Thanks for reading!