Building Multi-Account AWS Infrastructure with Terraform and ECP
After years of building AWS infrastructure at scale, I’ve learned that multi-account strategy isn’t just about security—it’s about organizational clarity and cost management.
At a large podcast hosting platform, we implemented an Enterprise Control Plane (ECP) pattern using Terraform to manage 20+ AWS accounts. Here’s what I learned:
The Problem with Single-Account AWS
Most companies start with one AWS account. Everything lives together: dev, staging, prod, data pipelines, security tools. It works… until it doesn’t.
Problems emerge:
- Blast radius: A misconfigured dev resource can affect production
- IAM complexity: Permission boundaries become impossible to manage
- Cost allocation: Finance can’t track spending by team or project
- Compliance: Auditors want logical separation between environments
The ECP Pattern
Enterprise Control Plane is an architectural pattern for managing multiple AWS accounts as a unified platform:
- Organization Structure: AWS Organizations with OUs (Organizational Units) for different environments and teams
- Centralized Networking: Transit Gateway connecting all accounts through hub-and-spoke model
- Security Baseline: Service Control Policies (SCPs) enforcing guardrails at the organization level
- Infrastructure as Code: Terraform/Terragrunt managing everything from a central repository
Key Design Decisions
Account Boundaries:
- Production accounts: Isolated per application/team
- Non-prod accounts: Shared dev/staging to reduce overhead
- Platform accounts: Separate accounts for logging, monitoring, security tools
- Data accounts: Isolated for compliance and access control
Network Architecture:
- Hub account with Transit Gateway
- VPC peering only where absolutely necessary
- Private subnet defaults for everything
- Centralized egress through NAT Gateway in hub
Security Model:
- SCPs prevent account-level misconfigurations
- IAM roles for cross-account access (no shared credentials)
- CloudTrail logs aggregated to security account
- GuardDuty and Security Hub in every account
Terraform Structure
We use Terragrunt to manage configurations across accounts:
ecp-ou-structure/ # Organization and account management
ecp-network/ # Transit Gateway, VPCs, networking
ecp-security/ # Security baseline, SCPs, IAM
tf-live-aws-*/ # Application-specific infrastructureLessons Learned
- Start with security: SCPs first, then networking, then workloads
- Automate account creation: Manual account provisioning doesn’t scale
- Document the why: Every architectural decision needs context
- Plan for day 2: Operations matter more than initial setup
Results
After implementing ECP:
- Reduced security incident blast radius by 90%
- Finance can now track costs by team and project
- New environments deploy in hours, not days
- Passed SOC2 audit with zero infrastructure findings
Multi-account AWS isn’t just best practice—it’s how you scale infrastructure beyond the startup phase.
Working through a similar problem?
Fractional infrastructure architecture — 10–20 hrs/week for 3–6 months. No full-time headcount required.