Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From cloud-foundation-principles
Guides multi-account strategies for new cloud projects from day one, covering account structures, environment isolation, blast radius control, billing separation, landing zones, and governance.
npx claudepluginhub oborchers/fractional-cto --plugin cloud-foundation-principlesHow this skill is triggered — by the user, by Claude, or both
Slash command
/cloud-foundation-principles:multi-account-from-day-oneThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Running development and production in a single cloud account is the most common shortcut in early-stage infrastructure, and it is cheap to fix on day one -- one afternoon of work. Six months later, when production databases share IAM policies with developer sandboxes, when billing is an undifferentiated blob, and when a misconfigured dev deployment takes down prod, the fix becomes a full migrat...
Designs and reviews AWS landing zones, Control Tower environments, Organizations structures, OUs, account vending, guardrails, and multi-account governance. Use when structuring AWS accounts or governing a cloud estate.
Indexes 15 cloud foundation principle skills for account structure, naming conventions, Terraform organization, networking, security, and IaC best practices. Activates at start of cloud infrastructure conversations.
Builds least-privilege IAM setups: roles, policies, service accounts for cloud services. Generates IaC using Terraform, Pulumi, CloudFormation.
Share bugs, ideas, or general feedback.
Running development and production in a single cloud account is the most common shortcut in early-stage infrastructure, and it is cheap to fix on day one -- one afternoon of work. Six months later, when production databases share IAM policies with developer sandboxes, when billing is an undifferentiated blob, and when a misconfigured dev deployment takes down prod, the fix becomes a full migration measured in weeks. Multi-account isolation is not a scale concern. It is a day-one concern.
A single cloud account creates invisible couplings that compound over time:
| Problem | Single Account | Multi-Account |
|---|---|---|
| Blast radius | A dev IAM policy change can affect prod resources | Accounts are hard boundaries; dev cannot touch prod |
| Billing | All costs in one bucket; cost attribution requires tagging discipline | Per-account billing is automatic and unambiguous |
| Permissions | Everyone who can deploy to dev can potentially access prod secrets | Cross-account access requires explicit trust policies |
| Service quotas | Dev load tests consume prod quota | Each account has independent quotas |
| Compliance | Auditors must review everything; no clean scope boundary | Prod account is the audit scope; dev is excluded |
| Credential blast | One leaked key exposes everything | One leaked key exposes one environment |
The longer you wait, the worse each problem gets. Resources accumulate. IAM policies intertwine. Developers build tooling that assumes a single account. Every day you delay makes the eventual migration more expensive.
Start with six accounts or projects. This is the minimum that provides meaningful isolation:
Organization Root
├── Management Account -- SSO, billing, organization policies
│
├── Security OU -- (GCP: Folder, Azure: Management Group)
│ ├── security -- Centralized security services
│ └── log-archive -- Immutable, centralized audit logs
│
├── Sandbox OU
│ └── sandbox -- Unrestricted experimentation, no prod access
│
└── Workloads OU
├── dev -- Development workloads
└── prod -- Production workloads
Six accounts. One afternoon. This gives you environment isolation, a dedicated security boundary, centralized audit logging, a safe experimentation space, and clean billing separation from day one. All three major cloud providers (AWS Control Tower, GCP Cloud Foundation Toolkit, Azure Landing Zones) include a centralized logging account by default.
As your team and workloads grow, expand the structure:
| Account | Add When | Purpose |
|---|---|---|
cicd | You adopt self-hosted runners | Isolate CI/CD compute from application workloads |
staging | You need a prod-like pre-release env | Full production mirror for release validation |
data or ml-training | GPU or large data workloads | Isolate expensive compute with separate quotas and billing |
Do not create person-specific accounts. Use team-based identities and shared accounts with role-based access. Person-specific accounts create credential sprawl and make offboarding a security risk.
Manually creating accounts and configuring guardrails does not scale past three accounts. Use your cloud provider's landing zone tooling to automate account provisioning, enforce baseline policies, and centralize governance.
A landing zone provides:
# Organization structure -- Terraform manages the hierarchy
resource "cloud_organization" "root" {
feature_set = "ALL"
}
resource "cloud_organizational_unit" "security" {
name = "Security"
parent_id = cloud_organization.root.roots[0].id
}
resource "cloud_organizational_unit" "workloads" {
name = "Workloads"
parent_id = cloud_organization.root.roots[0].id
}
resource "cloud_organizational_unit" "workloads_prod" {
name = "Production"
parent_id = cloud_organizational_unit.workloads.id
}
resource "cloud_organizational_unit" "workloads_dev" {
name = "Development"
parent_id = cloud_organizational_unit.workloads.id
}
# DO NOT DO THIS -- "environment" tags are not isolation boundaries
resource "cloud_instance" "web" {
instance_type = "t3.micro"
tags = {
Environment = "prod" # This tag does NOT prevent dev from touching it
}
}
resource "cloud_instance" "web_dev" {
instance_type = "t3.micro"
tags = {
Environment = "dev" # Same account, same IAM, same blast radius
}
}
Tags are metadata, not security boundaries. An IAM policy that grants ec2:* in a single account grants it to both "prod" and "dev" tagged resources. Only account-level separation provides true isolation.
Centralize identity in the management account. Federate from an external identity provider (Google Workspace, Okta, Microsoft Entra ID) so that disabling a person in the IdP immediately revokes all cloud access.
| Tier | Dev/Sandbox Access | Prod Access | Assigned To |
|---|---|---|---|
| Admin | Full | Full (time-boxed) | Platform team (2-3 people) |
| Developer | Full | Read-only + targeted exceptions | Engineering team |
| Auditor | Read-only | Read-only | Compliance, external auditors |
Developers should have full access in dev and sandbox but only read-only access in production. Targeted exceptions allow specific actions like viewing logs, connecting to debugging sessions, or reading container registries. No one should have permanent write access to production -- use time-boxed elevated access for incident response.
CI/CD pipelines authenticate to each account via workload identity federation (OIDC), not static API keys. Each account has its own CI/CD role with a trust policy restricting which repositories can assume it. This means zero stored secrets in your CI/CD system -- no API keys to rotate, no credentials to leak.
The multi-account angle: every account needs its own OIDC role. The trust policy in the dev account allows broader repository access (any branch), while the production account restricts to tag refs only (see the tag-based-production-deploys skill for the tag-driven deployment model). For the complete OIDC setup (provider configuration, trust policies, subject claim restrictions, per-provider Terraform), see the zero-static-credentials skill.
Use distribution lists or group aliases for account root emails, never personal addresses:
cloud-management@mycompany.com -- Management/root account
cloud-security@mycompany.com -- Security account
cloud-log-archive@mycompany.com -- Log archive account
cloud-sandbox@mycompany.com -- Sandbox account
cloud-dev@mycompany.com -- Development account
cloud-prod@mycompany.com -- Production account
Personal email addresses tied to accounts create single points of failure. When that person leaves, account recovery becomes a support ticket nightmare.
| Concept | AWS | GCP | Azure |
|---|---|---|---|
| Organization hierarchy | Organizations + OUs | Organization + Folders | Management Groups |
| Landing zone automation | Control Tower | Cloud Foundation Toolkit | Azure Landing Zones (CAF) |
| Account/project creation | AWS Account Factory | Project Factory | Subscription vending |
| Guardrails / policies | Service Control Policies (SCPs) | Organization Policies | Azure Policy |
| Centralized identity | IAM Identity Center (SSO) | Cloud Identity + Workforce IdF | Microsoft Entra ID |
| Cross-account roles | IAM Roles + trust policies | Service account impersonation | Managed Identity + RBAC |
| Billing isolation | Per-account billing | Per-project billing | Per-subscription billing |
| Security delegation | Delegated administrator | Organization-level security | Microsoft Defender for Cloud |
Working implementations in examples/:
examples/organization-structure.md -- Terraform module that creates a six-account organization with OUs, account email conventions, and baseline policiesexamples/cross-account-roles.md -- Terraform configuration for CI/CD OIDC federation and developer cross-account access with least-privilege permissionsWhen designing or reviewing cloud account structure: