Organize multiple projects (AWS)

Question

In our team, we are using AWS as our main cloud provider and currently, we have 3 projects hosted on their platform.

We are about to have 2 more projects in the next weeks, but first, we want to organize our projects, because our current organization is a little bit disordered.

We want our projects to be organized following these rules:

• Each project must have a staging and production environment.
• Each project is independent of each other so that it is not possible to see the resources of a project from within another project, i.e., VPC and S3 Buckets.
• The client is responsible for paying the bills of the project (staging and production environment).
• Even though the client is responsible for paying the bills, we must have access to the environments to deploy our code and to do other tasks related to development, testing, and operations.
• We can assign a team of developers to each project. It should be possible for a developer to be in one or more projects at the same time. Plus, it should be possible to move our developers between projects and to remove their access from a project.

So, is it possible to organize projects in AWS under the rules previously mentioned? If so, what are good resources to learn how to do this? If not, what cloud providers allow to organize projects the way we want?

Thanks for your attention and time. I'm looking forward to your replies.

Answer 1

The fact that you want project-specific charges to go to customers and you want each project to be independent indicates that your best choice would be to use a separate AWS Account for each project (or each client).

By keeping projects in separate AWS accounts:

• Each account will only have costs associated with a particular project
• Resources in each account will be kept separate
• User permissions in each account will be kept separate
• You can create staging and production environments within the same account (see below)

You can have multiple accounts joined together by using AWS Organizations:

AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. AWS Organizations includes account management and consolidated billing capabilities that enable you to better meet the budgetary, security, and compliance needs of your business. As an administrator of an organization, you can create accounts in your organization and invite existing accounts to join the organization.

Some companies go one step further and also keep staging and production in separate AWS accounts. They do this because they wish to keep production resources and users away from non-production resources and users. This reduces the chance of somebody accidentally changing Production when they meant to update Staging. While you can use IAM permissions to reduce such a thing from happening, keeping staging and production in separate accounts guarantees that people with only staging permissions will not be able to impact production.

Your company should maintain ownership of all of the accounts so that you can manage and control them. Each month, you will receive a consolidated bill, but it will show costs broken down by account. Thus, you will know how much to charge your clients.

The developers will need separate logins to each AWS account. So, if they wish to work on Project 1, they will need to login to the AWS account for Project 1. They then have access to the resources in Project 1, but not any of the other projects. When they wish to work on another project, they will need to re-login with credentials for the other project's AWS account. You might think that this adds extra work, but it also adds extra security and ensures that each client's resources are kept totally separate.

A final benefit of using separate accounts is that, in future, if a client wishes to take control of their systems, you can assign the AWS account to them without having to do any work to separate their resources from other clients. It is like handing over the keys of a house — they can move in without anyone having to move out.