[cyberax]

> Having one account per database/backend/frontend is not only overkill, but actually a bad practice.

That's how AWS works internally. A team can easily have several hundred accounts: one for each region, and for each env.

You absolutely need tools to manage them, and AWS is not great in this regard. IAM Identity Center is a good first step, but its usability sucks compared to the AWS internal tool (called "Isengard").

> You're going to have to expose your DB to the internet instead of having everything inside a single VPC.

There are several ways to NOT do this. The easiest one is to use IPv6 with your own block (you can get it from ARIN for around $100). Then split it into "public" and "private" subnets, and install a network ACL prohibiting external connections into the private subnet.