DEV Community

Cover image for Building Multi-Account AWS Infrastructure with Terraform and ECP
Glenn Gray
Glenn Gray

Posted on • Originally published at graycloudarch.com

Building Multi-Account AWS Infrastructure with Terraform and ECP

#aws #terraform #multiaccount #ecp

Originally published on graycloudarch.com.

After years of building AWS infrastructure at scale, I've learned that multi-account strategy isn't just about security—it's about organizational clarity and cost management.

At a large podcast hosting platform, we implemented an Enterprise Control Plane (ECP) pattern using Terraform to manage 20+ AWS accounts. Here's what I learned:

The Problem with Single-Account AWS

Most companies start with one AWS account. Everything lives together: dev, staging, prod, data pipelines, security tools. It works... until it doesn't.

Problems emerge:

  • Blast radius: A misconfigured dev resource can affect production
  • IAM complexity: Permission boundaries become impossible to manage
  • Cost allocation: Finance can't track spending by team or project
  • Compliance: Auditors want logical separation between environments

The ECP Pattern

Enterprise Control Plane is an architectural pattern for managing multiple AWS accounts as a unified platform:

  1. Organization Structure: AWS Organizations with OUs (Organizational Units) for different environments and teams
  2. Centralized Networking: Transit Gateway connecting all accounts through hub-and-spoke model
  3. Security Baseline: Service Control Policies (SCPs) enforcing guardrails at the organization level
  4. Infrastructure as Code: Terraform/Terragrunt managing everything from a central repository

Key Design Decisions

Account Boundaries:

  • Production accounts: Isolated per application/team
  • Non-prod accounts: Shared dev/staging to reduce overhead
  • Platform accounts: Separate accounts for logging, monitoring, security tools
  • Data accounts: Isolated for compliance and access control

Network Architecture:

  • Hub account with Transit Gateway
  • VPC peering only where absolutely necessary
  • Private subnet defaults for everything
  • Centralized egress through NAT Gateway in hub

Security Model:

  • SCPs prevent account-level misconfigurations
  • IAM roles for cross-account access (no shared credentials)
  • CloudTrail logs aggregated to security account
  • GuardDuty and Security Hub in every account

Terraform Structure

We use Terragrunt to manage configurations across accounts:

ecp-ou-structure/     # Organization and account management
ecp-network/          # Transit Gateway, VPCs, networking
ecp-security/         # Security baseline, SCPs, IAM
tf-live-aws-*/        # Application-specific infrastructure
Enter fullscreen mode Exit fullscreen mode

Lessons Learned

  1. Start with security: SCPs first, then networking, then workloads
  2. Automate account creation: Manual account provisioning doesn't scale
  3. Document the why: Every architectural decision needs context
  4. Plan for day 2: Operations matter more than initial setup

Results

After implementing ECP:

  • Reduced security incident blast radius by 90%
  • Finance can now track costs by team and project
  • New environments deploy in hours, not days
  • Passed SOC2 audit with zero infrastructure findings

Multi-account AWS isn't just best practice—it's how you scale infrastructure beyond the startup phase.

Top comments (0)