Table of contents

This documentation is intended for internal use by the GDS community.

How to create AWS Accounts

Using multiple Amazon Web Services (AWS) accounts allows GDS to:

  • enforce administrative isolation between workloads
  • minimize the impact of security breaches
  • isolate audit data in separate accounts

GDS teams can create as many AWS accounts as they need, this means usually at least one production and one non-production account.

You can read more about AWS Multiple Account Security Strategy in AWS Answers.

Requesting an account

To request an AWS account complete and submit the request an AWS account form.

Reliability Engineering will confirm if your account is eligible for inclusion in the GDS AWS bill and also perform the initial account setup.

Once your account is created you’ll recieve an email with the account ID and will be able to assume an administrative role from the GDS users base account.

Setting up an account

Your account will be created with a bootstrap role which has full admin rights. The users you specified in the request an AWS account form should be able to assume this role from the GDS users base account (see accessing aws accounts).

You should use the bootstrap role to set up your new account following your team’s best practices (for example using Terraform).

As part of your account set up you should ensure that your users can assume roles that give them appropriate permissions.

You should remove the bootstrap role once you’ve added a properly configured admin role.