Multiple vs Single Accounts

There are 2 strategies for deploying your environments on AWS that are worth discussing.

Multiple AWS Accounts
Single AWS Account

Mutiple AWS Accounts

In multiple-account approach, each environment is deployed to a separate AWS account. For example production, management, and development are all on completely separate AWS accounts.

The multiple-account strategy is commonly used today because of the benefits. You get complete isolation between the environments. You have nice guardrail against accidentally doing something on production that was meant for development.

Additionally, AWS supports many features that make using multiple-account much easier today. AWS Organizations help you centrally create, manage, and organize multiple AWS accounts from a parent master account. Also, the aws cli and AWS sdk support switching AWS accounts with Named Profiles and the AWS_PROFILE env var. The AWS Console brower experience also supports switching between accounts easily.

The main drawbrack with the multiple-account is that you have to remember to switch accounts.

Overall, the multiple-account approach is the recommended approach.

Single AWS Account

In a single-account approach, each environment like production and development is deployed to the same AWS account.

The benefit is that you don’t have to remember to switch AWS_PROFILE.

The drawbracks is less isolation between the environments. You must be more careful to achieve isolation with AWS features like IAM policies, security groups, etc.

Lono Flexibility

Lono easily supports either approach. Lono even has an aws_profile setting so you don’t forget to also set LONO_ENV when switching between AWS accounts. Example:

configs/settings.yml:

development:
  aws_profile: dev_profile

production:
  aws_profile: prod_profile

When switch AWS_PROFILE=prod_profile, then LONO_ENV=production will also automatically be applied. By configuring the configs/settings.yml, you don’t have to remember to specify it.

Multiple Accounts Example

In a multiple-accounts setup, commands become very short and pretty.

export AWS_PROFILE=dev_profile
lono deploy vpc # deploy VPC to development AWS account
export AWS_PROFILE=prod_profile
lono deploy vpc # deploy VPC to production AWS account

Single Account Example

In a single-account setup, the commands become slightly longer. You must specify different stack names. Also, you’ll have to remember to specify LONO_ENV=production for non-development environments.

unset LONO_ENV # default is LONO_ENV=development
lono deploy vpc-development --blueprint vpc
export LONO_ENV=production
lono deploy vpc-production  --blueprint vpc

Generally, the multiple-account approach is the recommended approach.

Back Next Step

Pro tip: Use the <- and -> arrow keys to move back and forward.

Edit this page

See a typo or an error? You can improve this page. This website is available on GitHub and contributions are encouraged and welcomed. We love pull requests from you!

Suggest an edit to this page (here's the contributing guide).
Open an issue about this page to report a problem.

Quick Start
Use Existing Templates
Docs
- Walkthrough
- DRY: Reusable Code
- Project Structure
- Installation
- Code Convert
- Code Import
- BoltOps Pro
Core Concepts
- Blueprints
- Templates
- Configs
  - Params
  - Variables
- Layering
- Helpers
DSL Components
- Blueprint Structure
- Built-in Helpers
- Custom Helpers
DSL Docs
- Format Version
- Condition
- Description
- Mapping
- Metadata
- Output
- Parameter
- Resource
- Section
- Transform
DSL Extras
- Conditional Parameter
- Parameter Groups
- Stack Output
Intrinsic Functions
- Base64
- Cidr
- Condition Functions
- FindInMap
- GetAtt
- GetAZs
- ImportValue
- Join
- Ref
- Select
- Split
- Sub
Extensions
- Structure
Configsets
- Reusable
- Structure
- DSL
  - package
  - group
  - user
  - source
  - file
  - command
  - service
  - configset
- ERB
- Helpers
- Built-In Helpers
- Variables
- Project vs Blueprint
  - Project
  - Blueprint
- Debugging Tips
- Version Locking
- Materialized Sources
- cfn-init vs cloud-init
- cfn-init vs user-data
Lookup Precedence
- Blueprints
- Project Configsets
- Blueprint Configsets
- Extensions
Conventions

Configuration
- Settings
- Lono Env
- Lono Seed
Extras
- App Files
- App Scripts
- Guard
- Lambda Layers
- Lono Current
- Lono Stack and Bucket
- Minimal IAM Policy
- Multiple vs Single Accounts
- Notification ARNs
- Upgrading Guide
Stack Sets
- lono sets
ERB
- App Files
- Blueprint Structure
- Components
- Definition Conventions
- Template Definitions
- Template Helpers
- Custom Helpers
- Nested Stack Support
- Organizing Lono
Register
Articles
Lono Help
Next Steps
CLI Reference