Segmentation in cloud environments

This has become one of the standard best practices for the AWS environment. In the previous section, we had development and production VPC in a different region, which is recommended; however, we still have it on a single AWS account.

Ideally, we should have multiple AWS accounts because ideally, a developer would need AWS console access along with access and secret keys to work on various AWS services in the development environment.

If we are not careful with IAM policies, the developer might get access to various services in the production environment as well.

The approach to different accounts is described in the following diagram:

• In this approach, there are two environments (DEV and Prod)
• All the developers have access to the Developers account
• Only Solutions Architects have access to the production account
  

Having multiple accounts ensures that any unwanted policies in the DEV environment will not affect any resources in the production environments.

This will help you protect against malicious insiders, external attackers, and unwanted outcomes due to incorrect control of permission.