Better isolation for environments

[fdietze]

Currently, different environments live in the same AWS account, where the isolation is done by using different name prefixes on e.g. lambdas and dynamo tables. Is there a better way to isolate environments?

Different AWS accounts would be an option, but AFAIK they cannot be created programmatically. Are there other isolation mechanisms?

[cornerman]

I do not see anything else than prefixing or multiple accounts. I think, account-level isolation is the best with regards to security and naming without prefix. But, as you said, setting it up is afaik not fully automatable.

Though, thinking about multi-environment, there might be a lot of environments (maybe per developer) and then having so many accounts for that seems a bit overboard. So, I am also not sure whether the prefix should really go away then.

[fdietze]

Maybe both then:

• Production in a different account without any prefixes
• Staging with prefixes to dynamically spin up new stacks without breaking production

[cornerman]

Is it really worth it to have no prefix in production? It complicates the code, because you have change the prefix based on the environment. Also, it requires that you use a different account in production and staging.

In the end, you can currently chose whenever you deploy, which account you use (by your AWS_PROFILE).

[fdietze]

Interesting. So the staging/production switch can be handled by AWS_PROFILE.

Prefixing doesn't have to be disabled. I just thought to have a single prefix (prod-) in the production account.