One AWS account for everything is getting crowded
An account per environment (prod, staging, sandbox, security, log-archive) is the standard since AWS Organizations. It separates blast radius, cost, and IAM without working per-VPC.
Try this first
- 1Enable AWS Organizations in the existing account, which becomes the management account. Don't do anything there except org admin and billing.
- 2Create at minimum: log-archive (all CloudTrail logs), security (GuardDuty, IAM Access Analyzer aggregator), prod, and non-prod accounts.
- 3Turn on AWS Identity Center (SSO). People get permission sets they can use across accounts, not separate IAM users per account.
- 4Attach SCPs at the OU level: e.g. no root actions, no non-EU regions, no Security-disable.
- 5Use Control Tower if this is your first time, it lays the baseline (CloudTrail, Config, log-archive) for you.
When to bring us in
For 5+ accounts or when regulators look in, a Control Tower baseline plus a short governance session is usually worth setting up.
See also
- Everyone logs in with the AWS root accountRoot is for emergencies and billing. Day-to-day work belongs in IAM users or SSO.
- Every developer has AdministratorAccessAdministratorAccess everywhere is convenient now, painful later. Start with role-based policies.
- Everyone has individual IAM users with their own passwordIdentity Center (formerly AWS SSO) links to your IdP and issues temporary credentials per session.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.