[shortj]

Probably the most useful mechanism I have for determining this is “if this AWS account disappears, how screwed am I / can I recover.”

I tend to separate all of my projects/services, and each of those to environments.

A cold storage AWS account, audit and security (ship logs, config changes, etc), shared services to another account.

If dev account gets hacked, that sucks, but we can clear it out.

It prod gets hacked (and deleted!) that super sucks. But hopefully cold storage and audit accounts can help us out.

If some other services/projects account gets hacked, I don’t want to be worried about impact to unrelated projects.

[gfodor]

Nice approach - for cold storage what do you mean exactly? Manually rsynced backups or something? Most aws services I’ve used that have backups built in I don’t recall having cross account writability.

[shortj]

RDS snapshot copying, EBS snapshot copies, S3 cross account bucket replication, etc. Write only with no entry points into that account from your other accounts. (Preferably its own locked down IAM role with MFA required)

[gfodor]

Cool- stealing this, thanks! Do you do the backups w a scheduled lambda?

[jamesblonde]

We also use test roles on top of separate dev/prod accounts. It has save us already a couple of times when somebody deleted all instances (by mistake), but the blast radius was kept small.