accounts team - cirelledo-csa/herd GitHub Wiki

Product and Team Accounts in AWS

We support two kinds of accounts in support of products: development and production. Development accounts are created for teams to develop products and host non production endpoints. Teams can explicitely request development accounts. Production accounts host production endpoints of products. Teams can indirectly request production accounts by requesting the promotion of products from development accounts to production. The cloud services team will determine placement of production endpoints in production accounts. Production account creation must address separation of cost, economies of scale, security, service requirements, etc as needed. Below are some details that may help explain this account strategy.

Product account FAQs

Will we support recharge?

Never! Accounts are single payer.

Who owns an account?

No one! The organization owns all the accounts. Each account will have a principal. Think of this role as a steward rather than an owner.

What are some features of Development accounts?

  • An account shared by a product team used to develop their product(s).
  • Product team members have ADMIN rights in dev accounts!
  • Production data and/or production endpoints can never be hosted in a development account.
  • With great power comes great responsibility!
  • Pay attention to cost!
  • Pay attention to security!
  • Clean up after yourself!
  • Having a hard time cleaning up? infrastructure as code is your friend.
  • Having a hard time promoting your application to prod? infrastructure as code is your friend.
  • Not sure about what you're doing? ask for guidance. Ask your peers, Ask AWS.
  • Generally you should restrict access to your proof of concept efforts to our on prem network
  • Creating security group ingress 0.0.0.0/0? Don't do it!
  • Don't know what something means? ask!

Who manages development accounts?

  • Shared responsibility between Cloud services and product teams.

What services run in development accounts?

  • Whatever is needed for Product teams to develop their Products.

How do we determine the services required to develop a Product?

  • Cloud services and product teams work together to determine spec

What is a product account for?

  • Dedicated account for production endpoints of a product.
  • Product and Operations team have limited/read-only role.
  • Cross account role allows a build service to deploy and configure resources in Product accounts.
  • Production Data can only be hosted in a Product Account.
  • legacy products may require humans with elevated roles to operate resources
  • net new products should not require humans with elevated roles to operate
  • There can be flexibility in where product teams run their pre-production endpoints, eg one team might want to deploy UAT/QA/STAGE versions of a product in a product account to most closely simulate "production", others might prefer to run these psuedo production versions in their dev or test account.

Who creates cross account roles and how?

  • Cloud services and product teams work together to determine spec

Who manages a Product account?

  • Cloud services team

What services run in a Product account?

  • Whatever is required of the product

How do we determine the services required to run a Product?

  • Cloud services and product teams work together to determine spec