We continue in Part VII with Chapter 30: Multi-Account and Landing Zones, which is about how large companies organize AWS. In subchapter 23.1 we saw AWS Organizations and SCPs, and mentioned that companies use multiple accounts. Now we go deeper: why separate things into different accounts instead of putting everything in one? Understanding this is key to designing the foundation of any serious organization in AWS. The central idea: the AWS account is the best separation unit that exists.
Reminder: What is an AWS Account
An AWS account is a complete and isolated "container" of resources, with its own billing and its own security limits. Until now, we have implicitly worked within a single account. Large companies, on the other hand, use many coordinated accounts (with AWS Organizations, subchapter 23.1). The question is why.
The Problem: Putting Everything in One Account Doesn't Scale
Imagine a company with several teams, several projects, and the development, testing, and production environments, all in a single AWS account. Serious problems arise:
Everything in one account: - Development and production mixed → an error in testing affects production - Costs of all projects together → impossible to know what each one spends - Complicated permissions → hard to isolate who can access what - If the account is compromised → EVERYTHING is at risk at once - AWS limits are shared → one project can exhaust them for everyone
It's like having an entire company working in a single giant room with no walls: the noise, mess, and risks of some affect everyone. You need to put up "walls." And in AWS, the best "wall" is the account.
The Key Idea: The Account as the Unit of Isolation
The recommended practice for companies is to separate different workloads into different accounts. Each team, project, or important environment goes in its own account. The account is AWS's strongest separation unit, because it offers isolation in three dimensions at once:
Separating into different accounts gives isolation of: 1. 🔒 Security → a problem in one account doesn't jump to the others 2. 💰 Costs → each account has its own clear and separate bill 3. 📊 Limits → AWS limits are per account, they don't interfere
Analogy: separating into accounts is like dividing a building into independent apartments instead of an open warehouse. Each apartment has its locked door (a problem in one doesn't enter the others: security), its own electricity meter (each pays their own: costs), and its own facilities (one doesn't use up the other's water: limits). Living in separate apartments is much more orderly and secure than sharing a warehouse with no walls. Accounts are those apartments.
The Three Reasons to Separate, in Detail
- Security Isolation (the most important)
If you separate into accounts, a security problem in one account (a breach, an error, an attack) is contained in that account and does not affect the others. It's the ultimate application of the "blast radius" principle: if something goes wrong, the damage is limited.
Production in its own account + Development in another account → if the development account is compromised, PRODUCTION remains safe
This is especially valuable for separating production (the critical stuff) from development/testing (where you experiment and there is more risk). A developer's mistake in their test account should never be able to touch production, and separating accounts guarantees this.
- Cost Separation
With each workload in its own account, each one’s bill is automatically separated (remember consolidated billing in Organizations, subchapter 23.1: you see the total, but also the breakdown by account). Knowing exactly how much each project or team costs is essential for cost management (remember FinOps, subchapter 25.5). In a single account, separating costs is much harder (you depend only on tags).
- Separation of Limits and Resources
AWS imposes certain limits per account (how many resources of a certain type you can create, etc.). If everything is in one account, a project could exhaust those limits and affect the others. With separate accounts, each workload has its own limits and doesn't interfere with the others.
Common Separation Patterns
How do companies decide what goes in each account? Common patterns:
By ENVIRONMENT: production account / testing account / development account By TEAM: team-A account / team-B account By PROJECT: project-X account / project-Y account Special accounts: security account, centralized logs account... (often combined: team A has its own dev account AND its own prod account)
These accounts are neatly grouped into Organizational Units (OU) within AWS Organizations (remember subchapter 23.1), and common rules are applied to them with SCP.
Real-world example: a company with three product teams decides on its multi-account structure. Each team gets two accounts: one for development (where they experiment freely) and one for production (with strict controls). In addition, they create a central security account (for the security team) and a logs account (where all logs are centralized). Result: when a developer breaks something in their development account, production doesn't even notice; each team sees exactly what their product costs; and an incident in one team is isolated from the others. The company went from a risky "everything mixed together" to an orderly, secure structure with clear costs. That separation is the foundation for operating at scale.
What You Should Remember
- Putting everything in a single AWS account doesn't scale: it mixes environments (an error in testing affects production), confuses costs, complicates permissions, concentrates risk, and shares limits. Like a company in a warehouse with no walls.
- The recommended practice is to separate workloads into different accounts (by environment, team, or project). The account is AWS's strongest isolation unit. Like dividing a building into independent apartments.
- Separating into accounts isolates in three dimensions: security (a problem doesn't jump between accounts; the most important), costs (separate bill per account), and limits (each account has its own).
- The most valuable: separating production from development/testing, so that an error or breach in testing can never touch production.
- Accounts are grouped into OUs and governed with SCP (Organizations, subchapter 23.1). Patterns: by environment, team, project, plus special accounts (security, logs).
In the next subchapter, we’ll see how to create and manage all these accounts automatically and with best practices from the start, with AWS Control Tower and landing zones.
Cloud, AWS & Terraform — From Zero to Expert
Chapter 1 · What is cloud computing
- 1.1 The traditional client-server model
- 1.2 Problems the cloud came to solve
- 1.3 On-premise vs cloud vs hybrid
- 1.4 The three service models: IaaS, PaaS, SaaS
- 1.5 The five pillars of cloud (according to NIST)
- 1.6 Real advantages: elasticity, pay-as-you-go, global availability
Chapter 2 · The cloud market and major providers
- 2.1 AWS, Azure and GCP: differences and market share
- 2.2 Why learn AWS first
- 2.3 Concepts that are universal among providers
Chapter 3 · Regions, availability zones and edge
- 3.1 What is an AWS region and how to choose it
- 3.2 Availability Zones: high availability by design
- 3.3 Edge locations and CloudFront
- 3.4 Latency, resilience and data sovereignty
Chapter 4 · Compute: EC2
- 4.1 Instances: types, families and when to choose each
- 4.2 AMIs, key pairs and Security Groups
- 4.3 Instance lifecycle
- 4.4 Elastic IPs and Placement Groups
- 4.5 Savings Plans vs Reserved vs On-Demand vs Spot
Chapter 5 · Storage: S3
- 5.1 Buckets, objects and keys
- 5.2 Storage classes (Standard, IA, Glacier…)
- 5.3 Versioning and object lifecycle
- 5.4 Bucket policies and ACLs
- 5.5 Static website hosting
Chapter 6 · Networking: VPC
- 6.1 What is a VPC and why you need it
- 6.2 Public and private subnets
- 6.3 Internet Gateway and NAT Gateway
- 6.4 Route Tables and Network ACLs
- 6.5 VPC Peering and endpoints
Chapter 7 · Identity and access: IAM
- 7.1 Users, groups, roles and policies
- 7.2 The principle of least privilege
- 7.3 Identity-based vs resource-based policies
- 7.4 MFA and temporary credentials (STS)
- 7.5 IAM security best practices
Chapter 8 · Managed databases
- 8.1 RDS: engines, Multi-AZ and read replicas
- 8.2 Aurora and its advantages over vanilla RDS
- 8.3 DynamoDB: key-value / document model
- 8.4 ElastiCache for in-memory cache
- 8.5 When to use each type of database
Chapter 9 · Why Infrastructure as Code
- 9.1 Problems with manual provisioning
- 9.2 Declarative vs imperative IaC
- 9.3 Terraform vs CloudFormation vs Pulumi vs CDK
- 9.4 The plan → apply → destroy cycle
Chapter 10 · HCL: the Terraform language
- 10.1 Resource, variable, output, locals blocks
- 10.2 Data types: string, number, bool, list, map, object
- 10.3 Expressions, references and built-in functions
- 10.4 Conditionals and loops (count, for_each, for)
Chapter 11 · Providers and state
- 11.1 How the AWS provider works
- 11.2 The terraform.tfstate file and its importance
- 11.3 Local state vs remote state (S3 + DynamoDB)
- 11.4 Essential commands: init, plan, apply, destroy, fmt, validate
Chapter 12 · Your first real infrastructure in Terraform
- 12.1 Create a VPC with subnets from scratch
- 12.2 Launch a public EC2 instance
- 12.3 Associate a Security Group and an Elastic IP
- 12.4 Outputs and references between resources
- 12.5 Team workflow: PR review of plans
Chapter 13 · Load balancing and auto scaling
- 13.1 Application Load Balancer vs Network Load Balancer
- 13.2 Target Groups, listeners and rules
- 13.3 Auto Scaling Groups: policies and metrics
- 13.4 Warm pools and lifecycle hooks
Chapter 14 · Serverless with Lambda
- 14.1 The Lambda execution model
- 14.2 Triggers: API Gateway, S3, DynamoDB Streams, SQS
- 14.3 Dependency management and layers
- 14.4 Cold starts and strategies to reduce them
- 14.5 Limits and anti-patterns
Chapter 15 · Messaging and events
- 15.1 SQS: standard vs FIFO queues, DLQ
- 15.2 SNS: topics, subscriptions, fan-out
- 15.3 EventBridge: event buses and rules
- 15.4 Patterns: pub/sub, decoupling, saga
Chapter 16 · Content delivery and DNS
- 16.1 Route 53: record types and routing policies
- 16.2 CloudFront: distributions, caches and origins
- 16.3 ACM: free SSL/TLS certificates
- 16.4 WAF integrated with CloudFront
Chapter 17 · Containers on AWS
- 17.1 Docker: quick review of key concepts
- 17.2 ECR: private image registry
- 17.3 ECS: task definitions, services, Fargate vs EC2
- 17.4 EKS: when Kubernetes and when not
Chapter 18 · Modules: reuse and composition
- 18.1 Anatomy of a Terraform module
- 18.2 Input variables, outputs and dependencies
- 18.3 Local modules vs Terraform Registry modules
- 18.4 Module versioning with Git tags
- 18.5 Design of generic vs domain-specific modules
Chapter 19 · Workspaces and environment management
- 19.1 Terraform workspaces: use cases and limitations
- 19.2 Directory strategy per environment (dev/stg/prod)
- 19.3 Terragrunt: DRY for environment configurations
- 19.4 Environment variables and .tfvars files
Chapter 20 · Remote backends and locking
- 20.1 Configure S3 + DynamoDB as backend
- 20.2 State locking: avoiding team corruption
- 20.3 State migration between backends
- 20.4 terraform import: bring existing resources into state
Chapter 21 · Infrastructure testing
- 21.1 Terraform validate and fmt in CI
- 21.2 Checkov and tfsec: static security analysis
- 21.3 Terratest: integration tests in Go
- 21.4 Contract testing between modules
Chapter 22 · Terraform in CI/CD
- 22.1 Basic pipeline: lint → plan → apply in GitHub Actions
- 22.2 Atlantis: GitOps for Terraform
- 22.3 Terraform Cloud / HCP Terraform
- 22.4 Drift detection and automatic reconciliation
Chapter 23 · Defense in depth
- 23.1 AWS Organizations and Service Control Policies
- 23.2 AWS Config: continuous compliance
- 23.3 GuardDuty: threat detection
- 23.4 Security Hub: centralized view
- 23.5 KMS: key management and rotation
- 23.6 Secrets Manager vs Parameter Store
Chapter 24 · Observability: logs, metrics and traces
- 24.1 CloudWatch Logs, metrics and alarms
- 24.2 CloudWatch Dashboards and Contributor Insights
- 24.3 X-Ray: distributed tracing
- 24.4 OpenTelemetry on AWS
- 24.5 Managed Grafana and Managed Prometheus
Chapter 25 · Cost optimization
- 25.1 AWS Cost Explorer and budgets with alerts
- 25.2 Trusted Advisor and Compute Optimizer
- 25.3 Rightsizing: how to detect overprovisioning
- 25.4 Savings Plans vs Reserved Instances: strategic decision
- 25.5 FinOps: culture and processes to control spending
Chapter 26 · High availability and disaster recovery
- 26.1 RTO and RPO: defining objectives
- 26.2 Strategies: backup/restore, pilot light, warm standby, multi-site
- 26.3 Route 53 health checks and automatic failover
- 26.4 AWS Backup: centralized backup policy
Chapter 27 · AWS Well-Architected Framework
- 27.1 The six pillars: operational excellence, security, reliability, performance efficiency, cost optimization, sustainability
- 27.2 Well-Architected Tool: formal reviews
- 27.3 How to apply the framework in design decisions
Chapter 28 · Serverless architectures at scale
- 28.1 Event-driven architecture with Lambda + EventBridge
- 28.2 Saga pattern for distributed transactions
- 28.3 Step Functions: orchestration of complex workflows
- 28.4 Lambda@Edge and CloudFront Functions
Chapter 29 · Data platforms on AWS
- 29.1 Data Lake with S3, Glue and Athena
- 29.2 Kinesis Data Streams and Firehose for streaming
- 29.3 Redshift: data warehousing at scale
- 29.4 Lake Formation: data governance
Chapter 30 · Multi-account and landing zones
- 30.1 Why separate workloads into different accounts
- 30.2 AWS Control Tower and Account Factory
- 30.3 Centralized log and security management
- 30.4 Terraform at multi-account scale with shared modules
Chapter 31 · Platform Engineering and Internal Developer Platform
- 31.1 Golden paths and abstractions over Terraform
- 31.2 AWS Service Catalog
- 31.3 Backstage as a developer portal
- 31.4 Terraform modules as internal product
Chapter 32 · Relevant AWS certifications
- 32.1 Cloud Practitioner: is it worth it?
- 32.2 Solutions Architect Associate → Professional
- 32.3 DevOps Engineer Professional
- 32.4 Specialty: Security, Database, Networking
- 32.5 HashiCorp Terraform Associate
Chapter 33 · Projects to consolidate what you've learned
- 33.1 Project 1: serverless blog (S3 + CloudFront + Lambda + DynamoDB)
- 33.2 Project 2: REST API with ECS Fargate + RDS + ALB
- 33.3 Project 3: data platform with Glue + Athena + Redshift
- 33.4 Project 4: multi-account landing zone with Terraform and Control Tower