Do I need multiple Amazon Web Services accounts? - Amazon Account Management
Managing multiple Amazon Web Services accounts
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Do I need multiple Amazon Web Services accounts?

Amazon Web Services accounts serve as the fundamental security boundary in Amazon. They serve as a resource container that provides a useful level of isolation. The ability to isolate resources and users is a key requirement to establishing a secure, well governed environment.

Separating your resources into separate Amazon Web Services accounts helps you to support the following principles in your cloud environment:

  • Security control – Different applications can have different security profiles, requiring different control policies and mechanisms around them. For example, it’s far easier to talk to an auditor and be able to point to a single Amazon Web Services account that hosts all elements of your workload that are subject to Payment Card Industry (PCI) Security Standards.

  • Isolation – An Amazon Web Services account is a unit of security protection. Potential risks and security threats should be contained within an Amazon Web Services account without affecting others. There could be different security needs due to different teams or different security profiles.

  • Many teams – Different teams have their different responsibilities and resource needs. You can prevent teams from interfering with each other by moving them to separate Amazon Web Services accounts.

  • Data isolation – In addition to isolating the teams, it's important to isolate the data stores to an account. This can help limit the number of people that can access and manage that data store. This helps contain exposure to highly private data and therefore can help in compliance with the European Union's General Data Protection Regulation (GDPR).

  • Business process – Different business units or products may have completely different purposes and processes. With multiple Amazon Web Services accounts, you can support a business unit's specific needs.

  • Billing – An account is the only true way to separate items at a billing level. Multiple accounts help separate items at a billing level across business units, functional teams, or individual users. You can still get all of your bills consolidated to a single payer (using Amazon Organizations and consolidated billing) while having line items separated by Amazon Web Services account.

  • Quota allocation – Amazon service quotas are enforced separately for each Amazon Web Services account. Separating workloads into different Amazon Web Services accounts prevents them from consuming quotas for each other.

All of the recommendations and procedures described in this document are in compliance with the Amazon Well-Architected Framework. This framework is intended to help you design a flexible, resilient, and scalable cloud infrastructure. Even when you are starting small, we recommend that you proceed in compliance with this guidance in the framework. Doing so can help you scale your environment securely and without impacting your ongoing operations as you grow.

Managing multiple Amazon Web Services accounts

Before you start adding multiple accounts, you'll want to develop a plan to manage them. For that, we recommend that you use Amazon Organizations, which is a free Amazon service to manage all of the Amazon Web Services accounts in your organization.

Amazon also offers Amazon Control Tower, which adds layers of Amazon managed automation to Organizations and automatically integrates it with other Amazon services like Amazon CloudTrail, Amazon Config, Amazon CloudWatch, Amazon Service Catalog, and others. These services can incur additional costs. For more information, see Amazon Control Tower pricing.