• Matheus Lozano

Exploring the multi-account AWS environment and reducing costs with it

There are many best practices that can improve your Cloud environment, the multi-account AWS environment is one of them.

Replica: https://lozanomatheus.medium.com/5c115fdbc284?source=friends_link&sk=734fb015264b75f0c6dfece3f0f502aa

The multi-account environment

It’s basically having multiple accounts for specific goals, could be per team, per environment, per project. AWS is very flexible in terms of how to achieve a multi-account environment, you can choose how you want to split your accounts.

There are a lot of good things you’ll get by following this best-practice, like centralized management (consolidated billing, accounts, etc), define policies per account or Organizational Unit (like audit/log is mandatory, tag policy, MFA is mandatory, etc) and many other things.

The options

You can achieve the multi-account environment by using the AWS Organizations and/or AWS Control Tower.

AWS Organizations

The AWS Organizations is basically your account dashboard and management. In there you can define the Organization structure, the policies (like tag policies, backup, service control policies, etc), import and/or create new accounts (except if you’re using AWS Control Tower), etc.

AWS Organizations with sub Organizations Units
Example of multiple accounts on AWS

In the example above, we have a root AWS account, three root Organizational Units (it’s like folders) and a few other “objects” under those accounts. The “objects” under an OU can be an AWS account or another OU.

The Core OU will be used for Logging and Auditing, such as AWS API calls, guardrails, users actions, etc.

The Workload OU will be used for productions and preproduction environments. The Workload test will be used by the Development Team and it’s where they can play around and have “free” access and it won’t impact the productions and preproduction. That’s where they can test over 200 fully-featured services.

The Test OU is where the Sec and DevOps teams can play around and do what they need to do without impacting other teams. Here, they can test new Organisations policies, play with AWS Config, etc.

AWS Control Tower

The AWS Control Tower is, let’s say, an extension of the AWS Organizations. It uses the AWS Organizations and brings much more feature, like a better AWS account bootstrap, Guardrails, all accounts are automatically audited and logged, etc. Let’s say that you want to make the MFA obligated for all accounts, within just a few clicks (or API calls) and it’s done (it’s literally that easy :)).

Extra costs

AWS Organizations is offered at no additional charge.

The AWS Control Tower has additional charges, for more details, please check the official AWS Control Tower pricing page.

AWS Control Tower pricing
Screenshot from the official AWS Control Tower pricing page

Reducing costs

You may be wondering “in this case, reducing costs, is it a thing?”. As any other thing, it will depend. I would say that’s probably true. Since you can consolidate the billing and have a single place to manage, you could set up limits per account. For example, you can set up the Billing Monthly Budget for the Test account and when it’s reached, it will stop EC2 and/or RDS instances. It’s also possible to set up alerts and other actions too.

Remember to follow the ~applicable~ best practices, then the cost reduction will become a real thing (among other good things, like more secure, monitored, centralized, etc).

AWS Well-Architected Framework five pillars
Image by Tim Robinson on AWS Blog
following the ~applicable~ best practices: Why did I say that? Well, if you’re not new with the AWS Well-Architected Framework, you’ll know that’s almost impossible (I would say, it’s impossible) to follow everything. For example, Cost Optimization Pillar vs Performance Efficiency Pillar or Security Pillar. There are things that will be costly but will improve the performance and/or security and you’ll have to choose one, maybe two, to go for (reduce cost and/or improve performance and/or improve security).


If you’re new into the AWS or Cloud, I would suggest starting with the AWS Organizations. It’s pretty easy to set up, there is no additional charge, you’ll centralize many things (like billing) and you can later move to AWS Control Tower (if you wish).

In any case, you can always contact AWS Support and request for their guidance. The Developer or higher support plan is required and there is an additional cost, please check their official website for more details.

Read more

Managing your costs with AWS Budgets

Establishing your best practice AWS environment

Best Practices for Organizational Units with AWS Organizations

AWS Multi-Account Management

Defining an AWS Multi-Account Strategy for telecommunications companies (but not only for telecom companies)