AWS accounts that don’t rot in year two

The first EC2 instance feels like progress. The twelfth manual IAM change feels like debt. We bias to boundaries early: accounts, roles, and modules that stay legible when the team doubles.

Separate by blast radius

Shared “god accounts” optimize for short-term speed and long-term incidents. Split workloads by environment and risk, not only by team names.

Make the paved path cheaper

If the blessed path is Terraform modules + CI roles + observability defaults, teams will take it. If the blessed path is tickets and tribal knowledge, they won’t.

Operability is a feature

Dashboards, alarms, and runbooks belong in the same backlog as user stories—otherwise on-call pays the tax forever.

Good cloud work is boring on Fridays.