Managing AWS accounts efficiently is crucial, and I've navigated through the challenges of this process. Here's a practical approach for effectively operating AWS accounts within a company:

Organization Account

Consider designating a root account as the organization account. Transform it into an organization account to facilitate the addition of more AWS accounts, such as Non-Prod (dev, test, staging) and Prod (pre-prod, prod) accounts. Avoid direct resource creation in this account; instead, use it for creating users and managing policies. Enhance organization by creating groups like DevelopersGroup and TestersGroup to streamline user management.

Policies

Craft policies that enable users to switch to specific roles and these policies should be created under organization account. For instance, users in DevelopersGroup should have permissions to switch to the DevelopersRole role. Administrators can utilize the OrganizationAccountAccessRole role for comprehensive service management.

Sub Accounts

Tailor the number of accounts based on the business context, such as Non-Prod and Prod. Within these accounts, establish roles with custom policies, like the DevelopersRole role, to ensure a structured and secure environment.

Tagging

Tagging is a powerful tool often overlooked in account management. Teams commonly underestimate its impact, leaving resources untagged. Efficient tagging facilitates cost monitoring. For example, my team uses the “AlwaysOn” tag to identify resources that need continuous operation. Any resource marked “AlwaysOn: false” is stopped at night, restarting in the morning for optimized cost management.

Conclusion

By implementing these strategies, you can optimize the management of AWS accounts, promoting efficiency and security in your company's cloud infrastructure.