How to create AWS Accounts
Using multiple Amazon Web Services (AWS) accounts allows GDS to:
- enforce administrative isolation between workloads
- minimize the impact of security breaches
- isolate audit data in separate accounts
GDS teams can create as many AWS accounts as they need, this means usually at least one production and one non-production account.
You can read more about AWS Multiple Account Security Strategy in AWS Answers.
Requesting an account
To request an AWS account complete and submit the request an AWS account form.
Reliability Engineering will confirm if your account is eligible for inclusion in the GDS AWS bill and also perform the initial account setup.
Once your account is created you’ll recieve an email with the account ID and will be able to assume an administrative role from the GDS users base account.
Setting up an account
Your account will be created with a
bootstrap role which has full admin
rights. The users you specified in the request an AWS account form should be able to assume this role
from the GDS users base account (see accessing aws accounts).
You should use the
bootstrap role to set up your new account following your
team’s best practices (for example using Terraform).
As part of your account set up you should ensure that your users can assume roles that give them appropriate permissions.
You should remove the
bootstrap role once you’ve added a properly configured admin role.