How to Separate Your AWS Production and Dev Accounts
Managing AWS can be hard. It has tons of services, very granular ways to enable and disable access between services, and lots of security implications that you have to keep in mind. Through the years at Codeship, we’ve learned many best practices, and we’ve seen many customers follow the same ones to make managing AWS accounts easier.
One of those easy to follow and very important best practices is setting up separate AWS accounts for development and production. We didn’t have that from the beginning — often we would find ourselves hesitating when trying out a new feature or generally experimenting with existing services.
At some point, we needed to make sure we had a separate sandbox account that we could use to play around in. At the same time though, like many startups, we still had AWS credits that we also wanted to use for that separate account, so consolidated billing was a must.
I’m going to walk you through setting up a separate account, enable consolidated billing will give you a list of next steps you can look into to extend your usage of AWS.
Setting Up a Separate Account
Simply go to the Amazon Console and create a new account that can be used as your sandbox account. We prefer the name “sandbox” for ours, as its meaning is clear that this account can be used to experiment and test with your setup.
While naming and using accounts is easier for small teams, you might want to create separate accounts once you hit a larger scale and have several teams working on independent systems.
As Netflix explained in their Security Monkey introduction blogpost, they have dozens of AWS accounts under management. While they are a particularly huge example of this concept, it can make sense to set up separate accounts for production infrastructure for much smaller teams.
Enabling Consolidated Billing
Of course you want to make sure that you pay for all of those individual accounts through one account so you can easily keep your expenses in check. Consolidated Billing is a way to set this up.
We currently run our billing through the main production account. Another option that we’re thinking about for the future is to create a separate AWS billing account that doesn’t run any infrastructure and is strictly there for billing purposes. That would let us decouple access to our production infrastructure from access to our billing, so non-technical people can log in and take a look at the billing without getting near production infrastructure.
Of course IAM gives you a lot of control to make sure they can’t access production infrastructure either, but having it in a separate account is just that much nicer.
Log into the account you want to pay with, go to the billing settings in the upper right menu, and from there to consolidated billing. Here you can sign up for consolidated billing.
After your payment setup is validated, you’re ready to send invitations to other accounts to join.
Send a request by filling out the email and an optional note after clicking Send a Request. The account you’re inviting needs to go to their Consolidated Billing configuration page and accept the invite.
From now on, all bills payable by the linked account will be visible and paid through the main account.
You’re now free to use the Sandbox account to set up experiments or test infrastructure to keep your production system clean. In case you want to separate that out more, it might be a good idea to create a production, a QA, and a sandbox account — one for production release, a complete clone for internal QA that’s not used for real experiments but just for QA, and a sandbox where developers can do whatever they want.
Getting the Most Out of Your Sandbox Accounts
To make sure you keep your infrastructure in sync between the different accounts (in order to test properly), you should look into CloudFormation. Take a look at the recent two part series talking about Cloudformation and ElasticBeanstalk to see an example of how CloudFormation can help you evolve your infrastructure.
Managing AWS effectively means more than just building infrastructure. You have to make sure your development team has all the tools it needs to not only build a successful system but also to experiment.
Consolidated Billing can help with managing costs and overviewing your accounts but also giving your team the room to try new things without impacting production.
Take a look at the cross account resource access documentation to learn more about using your AWS accounts efficiently. Let us know in the comments which other ways you’ve found to be helpful.
|Reference:||How to Separate Your AWS Production and Dev Accounts from our WCG partner Florian Motlik at the Codeship Blog blog.|