Introduction to Reference Architectures
Introduction to Cloud Posse Reference Architectures
At Cloud Posse, we use the following AWS accounts to provision infrastructure for different environments:
- root - Root account that we use to provision the IAM users to grant access to all other accounts
- prod - main Production account
- staging - Staging account
- audit - Audit account
- dev - Development account
- testing - Testing account used for fast provisioning and destroying infrastructure for testing purposes
We provision each stage into a separate AWS account, which gives us the following benefits:
- Complete separation of resources - you can’t affect anything in one account (e.g.
prod) by doing something in another (e.g.
- Better security - each account has its own users, roles, and permissions. Users can only access the accounts for which they have the required permissions by assuming IAM roles, and won’t be able to see anything else
- Simpler DevOps - you can destroy everything in one account (e.g.
terraform destroy) without affecting any resources in the other accounts
- Easier management - it’s much easier to manage users, roles and permissions per account than try to remember the web of dependencies of who can access what in a single account
- Simpler audit and compliance - we provision a
CloudTrailstate bucket only in the
auditaccount to collect
CloudTraillogs from all other accounts.
CloudTraillogs are automatically separated into different folders per account in the S3 bucket. Only a restricted set of users can have access to the
From the operational point of view, it would be easier (and faster) to provision all the infrastructure into just one AWS account.
However, we strongly recommend using multiple accounts for the benefits described above.
At Cloud Posse, we always follow these best practices.
Depending on your requirements, you might not need all the stages (e.g. the
dev stage might not be required).
You also might not need to provision all the resources (e.g.
See Notes on Using Multiple AWS Accounts for more details.