Multi-Account Strategy by Environment

Overview

For enterprise deployments, cramming all your Staging, Development, and Production servers into a single AWS account is considered a security anti-pattern. CloudAIPilot natively supports multi-account orchestration to enforce blast radius isolation.

The Strategy

Instead of using one master AWS account, you should create separate accounts (e.g., via AWS Organizations):

1. Acme Corp - Production
2. Acme Corp - Staging

You then connect *both* accounts into your single CloudAIPilot Organization.

Workflow Execution

When you ask the AI Pilot to *"Provision a new WordPress site for Staging"*, the platform allows you to strictly select the "Acme Corp - Staging" cloud account as the target.

This guarantees that:

• A runaway process on a staging server cannot consume your production cloud limits.
• A compromised staging application cannot interact with your production VPC or databases.

Integration with Granular RBAC

By tagging the resulting servers and sites with the Staging environment tag, you ensure that team members with the Member role can deploy to the staging cloud account, but the system will physically block them from deploying anything into the Production cloud account.

Related Articles

• KB-00-10: Environments: localhost, staging, production basics
• KB-09-02: Current role model and practical governance