This message was deleted.
# platform-blueprintss
Slackbot
06/09/2022, 9:01 AMThis message was deleted.
j
Johannes Würbach
06/09/2022, 9:08 AMThis depends a bit on what you are building, the cloud provider and if teams should be able to interact with the cloud provider directly.
I've struggle in the past to cleanly separate permissions inside a single AWS account as not all services support tag based permissions etc. Multiple accounts make this way easier (because the boundary is the account), but make other things more challenging. E.g. SSO to 50+ accounts, keeping security requirements inline etc.
f
Florian Lipp
06/09/2022, 9:09 AMMaybe good question also for @Maryann Bell @Bryan Finster @Galo Navarro @Brian Leathem
🙌 2
j
Joern Barthel
06/09/2022, 9:25 AMon aws multiaccount is the only way (otherwise you drown in policy complexity if you want to have any change of least privilege - also at scale API limits become an issue) - https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/organizing-your-aws-environment.html gives a good overview about sensible options
Joern Barthel
06/09/2022, 9:26 AMtl;dr: organize accounts by workload, add sandboxes for individuals if you want; everything else (shared infra, ci/cd, environment considerations, special accounts) can be added later
👍 1
➕ 1
w
Wellington Majora
06/09/2022, 10:03 AMThank you @Joern Barthel for this, really helpful- much appreciated 🙂
👍 1
b
Bryan Finster
06/09/2022, 10:20 AMMorning!
Bryan Finster
06/09/2022, 10:23 AMYou need a way to track team utilization. One of the mistakes that's frequently made is to think of the cloud as an infinite server. Those workloads cost money. You need to be able to track it when a team doesn't design something correctly and your cloud bill goes through the roof. You need a way to track the total cost of ownership of each team's product and that includes daily operation. You, of course, also need to make sure that one team does not impact another team in production.
p
Paul Seddon
06/10/2022, 12:38 PMOut of interest, what do people here use for cost tracking? Tagging is often a losing battle, ownership changes, etc, so a way of dynamically creating cost groups outside of AWS feels like the way to go. Yet to find the right tool to do that, along with monitoring, reporting, anomaly detection, recommendations, all in a single pane of glass. We have fine-grained accounts which helps a lot, but within that (or even across accounts) cost management is tricky.
j
Joern Barthel
06/10/2022, 1:44 PMdepends - if you want / can afford (highly dependent on your profile & how you negotiate) an external cost management tool (typically requires substantial investment into understanding how to use it) can help here
the standard 1 account per environment and workload / service structure + individuals sandboxes style i described above also tends to simplify this aspect a lot - for what kind of (shared?) costs do you need insights in your fine grained accounts? or are they cut by sth. other than workload types?
p
Paul Seddon
06/10/2022, 1:49 PMCut by business groups and environments, but within each account there is still some splitting of costs required.
j
Joern Barthel
06/10/2022, 1:50 PMfor resources provisioned by the users of that account? or centrally (stacksets, lz, adf, ctc, whatever) provisioned?
Joern Barthel
06/10/2022, 1:51 PMah, wait, you wrote business groups - would the same need to redistribute costs still apply if it would be workloads?
Joern Barthel
06/10/2022, 1:51 PMwith business groups becoming OUs?
26 Views