AWS Accounts as Security Boundaries — 97+Ways Data Can be Shared Across Accounts
TL;DR
Just want to see a list of services and how their data can be shared across AWS accounts? Click here. Spreadsheet version here.
Background
There are many strategies for organizing AWS accounts. Some organizations use a separate account for each environment — one for development, another for staging, and a third for production. Others prefer to put each team or project in its own AWS account, resulting in hundreds or even thousands of accounts across the company. Still others prefer to lump every team, project, and environment into a single AWS account in what I like to call “the kitchen sink strategy.”
Regardless of the approach, most of these practices assume that the AWS account itself acts as a security boundary. Given the IAM service name-spacing and AWS’s own documentation, this is a logical assumption. However, through a series of features and dedicated services, creating configurations that enable crossing these boundaries has become relatively easy. Relying on it to provide a security boundary may not be a safe decision without extensive controls and monitoring in place. With cross-account IAM roles, cross-resource sharing, global namespaces, and other features, it is easier than ever to turn a once-isolated…