[ragona]

> poor IAM policy and role modeling

This is a bad take. Making good IAM Roles and Policies is incredibly complicated if you have a complicated account. You WILL get it wrong. This becomes much more tractable if you have reasonable account boundaries between workloads.

If you insist on a single massive account you're fighting against the way that AWS designs the system, and you're gonna have a bad time.

[thedougd]

Totally agree. Defense in depth, security in layers. You're not protecting against just the most elite hackers, you're protecting against mistakes. Mistakes and change are inevitable, they should be in the design.

[kodah]

I'm not even sure at what point account boundaries really have merit anymore past organization. Most things that are subject to account boundaries have really poorly crafted IAM roles or policies somewhere. You just have a single logical boundary in between the two talking things.

The way that GCP organizes various different projects is actually really nice. I haven't seen what this looks like at scale though.