Using multiple accounts to provision your resources (for example, development and production environments) provides a form of blast radius protection—even in the worst-case scenario, any issues or damages are limited to the account in which they occur, and not your entire AWS presence.

Creating and assuming roles across accounts is the best way to manage access to multiple accounts. Specific roles provide a clear and explicit declaration of permissions that can be easily reviewed, and revoked if needed. Resist the temptation to create new IAM users in each account, or to utilize IAM accounts in scenarios where you need to provide access to your account to someone from a different organization, such as a consultant.

This recipe provides a way to scale your access across many accounts, without compromising your security.