AWS Shared Account Model

In a large organization maintaining a separated AWS account for every line of business or application can be a complicated structure. Here's a list of lessons learnt and factors to consider when thinking about consolidating multiple lines of business or applications into one account

-There should be no compromise of any customer security controls 

• The applications be able to continue performing all security relates tasks except access to the billing data 
• MFA  access would that be global to the whole account ? would it be based on a role? Would the shared account be accessible by the different users ?
• IAM Roles - would that be 1 IAM role with access to all S3 , CloudWatch ?
• Alerting - are multiple email addresses possible for separate alerting?
• Subnets - If all resources are sitting on one VPC ,  can they be split onto different subnets ? Therefore potentially limiting the blast radius of viewing , modifying or deleting resources
• Resources - would the resources such as RDS be managed by a centralized team or would access be given to the different users? For example , if there was a requirement to create an s3 bucket
• IAM Role - Do the IAM Groups need to be combined with Resource Level Group Permissions ?
• Compliance - what are the compliance requirements for resource separation?
• Disaster recovery - In the event of a cross-region failover , would all resources be treated the same , for example - if relying on AWS Backup , would one vault be used or separate vaults?
• Infrastructure as Code - Can the deployment pipelines support this set up?