Now that we’ve covered the basics, I want to talk about AWS account structure and how to utilise it to improve security posture. By default, everyone signs up and runs everything from their first account. When people hit the limits (of the account, or of their understanding of AWS), that’s when they’ll investigate how to do something more with their account structure.
Instead of that, I want to encourage people to set up their environment to be more secure, simply by taking advantage of thing such as consolidated billing. If you read all the AWS material on consolidated billing, they’ll tell you:
Consolidated Billing is strictly an accounting and billing feature. It is not a method for controlling accounts, or provisioning resources for accounts. It doesn’t change how the accounts function or how they are accessed. Consolidated Billing, therefore, cannot be used for sharing computing resources between accounts.
This isn’t strictly true. You can use Consolidated Billing to control accounts, but you’re doing it at a much higher level than IAM. Instead of working inside the account, you’re going to sign up to several AWS accounts, link them for consolidated billing and utilise this account structure for security.