Accounts in a Substrate-managed AWS organization

One of the main things Substrate wants you to do is to use multiple AWS accounts. Why?

Substrate wholeheartedly endorses the use of multiple AWS accounts.

All your AWS accounts are listed in substrate.accounts.txt and on https://example.com/accounts (substituting your Intranet DNS domain name).

There are four accounts that Substrate colloquially refers to as the “special” accounts. They are:

There are additionally admin accounts (of which there can be more than one), which host Intranet services like the Credential and Instance Factories, all protected by your identity provider.

Finally, there are service accounts where you host your software (be it software you’ve written yourself or your use of an AWS-managed service). Each of these accounts is tagged with a domain, environment, and quality.

This constellation of AWS accounts works together to increase the reliability and security of your product and reduce the blast radius of changes to any part of it.