Root account for billing and AWS Identity Center. Dev account for all the crap and lax permissions so people can try stuff. Production account with only production and extremely strict permissions where changes can only be made with terraform or a god mode account.
If you use aws control tower to set up your stuff, this will happen sort of automatically.
Its been recommended practice for ages...
Use SCP (service control policy) to disable any services and regions you dont use. Tada. Much harder to get unexpected bill, much easier to enforce audit etc.
Assuming you're playing the "only pay for a business support plan when you actually need to file a ticket" game like me, with a very slight amount of effort this works in your favor instead of being a downside. Put your expensive-but-reliable stuff (e.g. large 24/7 EC2 instances, your S3 buckets) in one account and your cheap-but-fiddly stuff (e.g. your EKS cluster) in another account. When you need support on the fiddly stuff you're only paying a percent of that account.
At work we did not follow this advice, so we have a single account and we're vulnerable to an unnecessarily high support bill if we happen to need to file a ticket in an expensive month. We could have avoided this with account segmentation; our expensive stuff tends not to be the stuff we need support on.
Enterprise support agreements are organization-wide.
Although, you can gamify Business support (which is priced as a percentage of your bill) to not include things like your CloudTrail account, which probably never require support, but can get expensive across a large enough organization.
Thank god I was saved from having to read the first two words of that headline. We should have faulty paternalistic algorithms governing even more of our lives.
Root account for billing and AWS Identity Center. Dev account for all the crap and lax permissions so people can try stuff. Production account with only production and extremely strict permissions where changes can only be made with terraform or a god mode account.
If you use aws control tower to set up your stuff, this will happen sort of automatically.
Its been recommended practice for ages...
Use SCP (service control policy) to disable any services and regions you dont use. Tada. Much harder to get unexpected bill, much easier to enforce audit etc.
But then if yoy pay for support it only works in one account
Assuming you're playing the "only pay for a business support plan when you actually need to file a ticket" game like me, with a very slight amount of effort this works in your favor instead of being a downside. Put your expensive-but-reliable stuff (e.g. large 24/7 EC2 instances, your S3 buckets) in one account and your cheap-but-fiddly stuff (e.g. your EKS cluster) in another account. When you need support on the fiddly stuff you're only paying a percent of that account.
At work we did not follow this advice, so we have a single account and we're vulnerable to an unnecessarily high support bill if we happen to need to file a ticket in an expensive month. We could have avoided this with account segmentation; our expensive stuff tends not to be the stuff we need support on.
This seems like a ton of work
That's always the case with AWS: reducing costs takes legwork, and by the same token, you can avoid legwork by accepting a higher bill.
Enterprise support agreements are organization-wide.
Although, you can gamify Business support (which is priced as a percentage of your bill) to not include things like your CloudTrail account, which probably never require support, but can get expensive across a large enough organization.
Thank god I was saved from having to read the first two words of that headline. We should have faulty paternalistic algorithms governing even more of our lives.