Best practices for managing multi-account architectures
The best practices that follow touch upon a lot of areas that we covered in the previous section. Based on my experience developing Landing Zones for multiple enterprise customers, I would like to share some insights into the best practices that you could consider adopting for your organization.
Limiting access to the management account
The AWS account where you bootstrap the AWS Organizations organization is known as the management account, or the master payer. This is a highly privileged account that gives access to policy management, centralized billing and cost reports, and account management. It should only be accessed by selected personnel, under exceptional circumstances.
SCPs do not apply to the management account, which makes it difficult to enforce any policies or governance control at this level. Secondly, by default, AWS Organizations injects an IAM role into all AWS accounts in the organization, with AdministratorAccess...
