Skip to main content

AWS Landing Zone

Multi-Account Strategy: Why Your AWS Landing Zone Needs Multiple Accounts

Learn why a multi-account architecture is essential for security, compliance, and cost management in your AWS environment, and how to structure it effectively.

CloudPoint

CloudPoint Team

One of the most important architectural decisions when building an AWS Landing Zone is your account structure. While it might seem simpler to run everything in a single AWS account, a multi-account strategy provides significant advantages for security, compliance, and operational efficiency.

The Single Account Trap

Many organisations start with a single AWS account because it seems straightforward. However, this approach quickly leads to:

  • Security Risks: A breach in one application can compromise everything
  • Compliance Challenges: Difficult to separate regulated and non-regulated workloads
  • Cost Confusion: Unable to clearly allocate costs to teams or projects
  • Operational Complexity: Production and development mixed together
  • Blast Radius Issues: Mistakes in development can impact production

Benefits of Multi-Account Architecture

1. Security Isolation

Each account provides a strong security boundary. Even if credentials for one account are compromised, your other accounts remain protected. This isolation is particularly important for:

  • Separating production from non-production environments
  • Isolating different applications or business units
  • Protecting sensitive data in regulated industries

2. Compliance and Governance

Multi-account structures make it easier to:

  • Apply different security controls to different workloads
  • Demonstrate compliance through clear separation
  • Implement stronger controls for regulated data
  • Simplify audit processes

3. Cost Management

With separate accounts, you can:

  • Clearly attribute costs to specific teams or projects
  • Set up account-level budgets and alerts
  • Implement cost controls tailored to each environment
  • Enable detailed chargeback or showback models

4. Blast Radius Reduction

Mistakes and incidents are contained within account boundaries, preventing issues from affecting your entire organisation.

Here’s a proven account structure for Australian businesses:

Core Accounts

Management (Root) Account

  • Only for AWS Organizations management
  • Minimal resources deployed
  • Tightly controlled access
  • Consolidated billing

Security Account

  • Centralised security tooling
  • CloudTrail logs aggregation
  • Security Hub findings
  • GuardDuty detector

Log Archive Account

  • Long-term log retention
  • Immutable log storage
  • Compliance evidence
  • Access restricted to security team

Network Account

  • Transit Gateway or VPC peering
  • Shared VPCs
  • VPN connections
  • Direct Connect

Environment Accounts

Development Account(s)

  • Developer experimentation
  • Relaxed controls
  • Lower-cost resources
  • Ephemeral workloads

Staging Account

  • Pre-production testing
  • Production-like configuration
  • Integration testing
  • Performance testing

Production Account(s)

  • Live customer-facing workloads
  • Strictest security controls
  • High availability configuration
  • Comprehensive monitoring

Optional Accounts

  • Sandbox Accounts: Individual developer experimentation
  • Data Analytics Account: Centralised data lake and analytics
  • Shared Services Account: Common tools and services
  • DR Account: Disaster recovery resources in another region

Organising with AWS Organizations

AWS Organizations provides the structure to manage multiple accounts:

  • Organisational Units (OUs): Logical groupings of accounts
  • Service Control Policies (SCPs): Guardrails preventing unauthorized actions
  • Consolidated Billing: Single bill across all accounts
  • Policy Inheritance: Apply policies to OUs rather than individual accounts
Root
├── Security OU
│   ├── Security Account
│   └── Log Archive Account
├── Infrastructure OU
│   └── Network Account
├── Workloads OU
│   ├── Production OU
│   │   └── Production Accounts
│   ├── Non-Production OU
│   │   ├── Development Accounts
│   │   └── Staging Account
│   └── Sandbox OU
│       └── Sandbox Accounts

Account Vending and Automation

As your organisation grows, manually creating accounts becomes impractical. Implement account vending automation using:

  • AWS Control Tower Account Factory: Pre-configured account creation
  • Service Catalog: Self-service account provisioning
  • Infrastructure as Code: Terraform or CloudFormation for consistency

Cross-Account Access Patterns

Enable secure collaboration across accounts using:

  • IAM Roles: AssumeRole for temporary cross-account access
  • Resource Sharing: AWS RAM for sharing resources like Transit Gateway
  • CloudFormation StackSets: Deploy resources across multiple accounts
  • IAM Identity Center: Centralised SSO across all accounts

Migration Considerations

Moving from single to multi-account requires planning:

  1. Assess Current State: Document existing resources and dependencies
  2. Design Target State: Plan your account structure
  3. Implement Foundation: Set up core accounts and Organisations
  4. Migrate Workloads: Move applications systematically
  5. Decommission: Clean up the old single-account setup

Best Practices for Australian Businesses

  • Start with 3-5 core accounts minimum
  • Plan for growth but don’t over-engineer initially
  • Implement strong controls in the Management account
  • Centralise logging to meet regulatory requirements
  • Use separate accounts for different data classifications
  • Document your account structure and naming conventions
  • Regularly review and optimise your account strategy

Common Pitfalls to Avoid

  • Creating too many accounts too quickly
  • Inconsistent naming conventions
  • Not implementing proper cross-account access
  • Forgetting to set up centralised logging
  • Overlooking cost allocation tags
  • Not planning for account lifecycle management

Conclusion

A well-designed multi-account strategy is the foundation of a secure, compliant, and cost-effective AWS environment. While it requires upfront planning and some additional complexity, the benefits far outweigh the costs.

CloudPoint specialises in designing and implementing multi-account AWS environments for Australian businesses. Contact us to discuss your account strategy and Landing Zone requirements.

Ready to Implement Your Multi-Account Strategy?

CloudPoint designs and implements multi-account AWS architectures that scale with your business. Get in touch to discuss your requirements.

Learn more about our Landing Zone service →