Hey segment, are you aware that you can have several env (dev, stag, prod, ...) on the same AWS account? :p
You can secure each environement with different credentials (IAM) so no need to create several AWS accounts!
In practice, cramming all this into the same account doesn't work. Segment is following best practice here.
For example, IAM doesn't provide the granularity in resources and conditions that you'd want to effectively isolate the blast radius of developer keys. ec2:TerminateInstances didn't (doesn't?) support VPC level conditions, so being able to terminate one instance meant you could terminate all instances.
Similarly, you might want your engineering team to iam:PutUserPolicy in development, but have a much more restricted group in production which isn't possible with IAM today.
The other bit would be blast radius. What if someone does get access to your single account? How confident are you that your policies were airtight? By using many accounts, you create clear isolation boundaries that require opt-in sharing.
>>> By using many accounts, you create clear isolation boundaries that require opt-in sharing.
In theory yes. In practice, you will achieve the opposite of that.
Developers and ops will have to juggle between 10 keys and accounts to get anything. The keys will end up saved and written all over the systems. It will be impossible to have audit between all the accounts and access.
ec2:TerminateInstances still doesn’t support the vpc as a condition but it does allow you to use tags. You can also limit a role to tagging only the instances they create (as long as they include the tags when they call ec2:RunInstances). You can even require that specific tags are present. Combine all of that with some kind of “owner” tag and it’s a pretty decent solution to the problem. Add automatic tagging on the backend and it’s even better.
That said, it’s not perfect and there’s probably plenty of resources it wouldn’t work for. It’s also comparatively fragile.
It is recommended to use multiple accounts for isolation. AWS has recently launched Organizations to make creation and management of multiple accounts simple. See https://aws.amazon.com/organizations
Tools like aws-vault and now aws-okta make securing credentials a piece of cake.
This just in: directories are pointless because you can put all files in the same one!
---
There are advantages in multiple accounts, for organization and security. Random example: adding tags to ec2 instances is an account-wide permission, for all ec2 instances. Multiple various things by 100 and accounts make sense.
OP here. You _can_ do this but IAM Policy wise it is a mess and not very maintainable.
You end up needing to constantly grant and revoke access to individual resources if you went this route. Instead, it's nice to give engineers access to everything that's in their account, and not worry about IAM policies.
Really the problem is that IAM is not a capability system. If you can write a policy at all, there are no limits on what you can put in it, so we can only let trusted admins touch policies. An engineer should be able to grant some of their own privileges to the things they run.
I was also alarmed to see that dynamodb:DescribeStream is limited to 10 QPS per account, making low-latency stream consumers into noisy neighbors of each other. Then there's all the "open a support ticket" per-account limits on table provisioning and running EC2 instances…
I'm Joseph Benguira, Founder & CTO of AppDrag Cloud CMS & Cloud Backend
I started to work on Splitter after a friend and bussiness partner, Maxime Seligman, challenged me to produce very quickly an A/B testing tool that he will be able to present to a big public webmarketing event : 12th Annual MEGAComm Conference on Feb 15 2018.
This was the perfect occasion to test real-time technologies like AWS IOT with MQTT and prototype all of that very quickly in AppDrag Cloud Backend.
I consider this as an experiment and a side project and a complementary tool for AppDrag users but also for anyone wanting to do A/B testing for free.
I intend to keep it free, active and maintained as a side project for AppDrag, so feel free to use it and to give us your feedback
One reason so many homeless people smoke: it suppresses the appetite, making it easier to cope with being underfed. Sometimes when people stop smoking and gain weight because of it, they really wrestle with the question of whether or not it is worth it. I have had women tell me that the hardest part of quitting was watching their weight go up. It made it really hard to stay the course because women are given so much hell in the US about how important it is to be thin.
As a previous smoker, I could get by without eating much (intake less than 500 calories)
Nicotine and carbon monoxide levels settling provides a similar sensation to hunger, that would be satisfied for a short period with a cigarette.
You start confusing this with hunger and default to wanting another smoke.
I could go 16+ hours without eating anything and thinking I am hungry
Also you notice with ex-smokers they tend to gain weight because they are satisfying this sensation by eating more
