undefined | Better HN

0 pointssleepychu2mo ago0 comments

We were saved by the bell when they announced the increased account limit for S3 buckets (1M buckets, now, 1k I think before).

Just before they announced that I was working on creating org accounts specifically to contain S3 buckets and then permitting the primary app to use those accounts just for their bucket allocation.

AWS themselves recommend an account per developer, IIRC.

It's as you say, some policy or limitation might require lots of accounts and lots of accounts can be pretty challenging to manage.

0 comments

tech22mo ago

I have to ask, because wow that's a lot of buckets, but what kind of activity requires breaching even a 1,000 bucket limit per account?

sleepychuOP2mo ago

Simplistic tenant isolation and cost tracking :-)

I know there are other solutions to this particular problem but this model is extremely easy to reason about. When the application accesses tenant objects or delegates that access with pre-signed URLs it is doing so with ephemeral credentials that literally could not access the objects in another tenancy.

That and a similar DB isolation, allows most of our handlers to be very simple as far as tenant isolation goes.

j / k navigate · click thread line to collapse