Most startups begin with a single AWS account. It’s the path of least resistance, and for the first eighteen months it works. Then the cracks appear: a developer accidentally drops a production table because IAM was scoped loosely; the security questionnaire from your first enterprise customer asks about environment isolation and the honest answer is “we use naming conventions”; the AWS bill becomes impossible to attribute to teams or features.
By the time these become real problems, you’re at Series A and the migration to a multi-account structure is a multi-month project happening alongside everything else that breaks at Series A.
What you actually get from multi-account
Three things, all of them load-bearing as you scale:
- Blast radius isolation. A misconfigured IAM policy or a runaway Lambda in dev cannot touch production data. The boundary is enforced by AWS itself, not by hope.
- Compliance and audit clarity. Enterprise buyers, ISO 27001 auditors, and SOC 2 assessors all ask the same question: “How do you separate environments?” “Different accounts” is the answer that ends the conversation.
- Cost attribution by default. Each account is its own billing scope. You see exactly what production, staging, and the data team are spending without inventing tag hygiene.
The minimum viable setup
You don’t need Control Tower and a dozen guardrails on day one. What you need is small:
- AWS Organizations with management, log archive, audit, prod, staging, and dev accounts.
- IAM Identity Center (formerly SSO) as the single front door. Developers log in once and assume role into each account.
- CloudTrail aggregated to log archive. Read-only, immutable. The audit trail you’ll thank yourself for in two years.
- A consolidated billing alarm at the management account level.
That’s a one-week project if you start before you have load. It’s a one-quarter project if you start after.
What we see in the field
The companies that set this up early treat it as boring infrastructure — provisioned in Terraform, documented, forgotten. The companies that put it off end up running the migration in parallel with their first enterprise pilot, which is when “we’ll harden security next sprint” finally meets the customer who needs the answer this quarter.
If you’re pre-Series A and still on a single account, the call to make right now is whether you do this when it’s cheap, or when it’s expensive. There isn’t a third option.
Related posts
Three AWS Cost Leaks Hiding in Your Bill Right Now
The most expensive AWS line items aren't always the obvious ones. Three patterns we see in nearly every audit — and how to close them in a fortnight.
Read articlePlatform engineering grew up. For funded scaleups, the hard part is now the operating model.
DevOps is now an AI-augmented platform discipline. What it means for Series A to C teams in Europe, and staying ahead without a platform team you can't staff.
Read article