Do you have recommendations on how to set up AWS multi-account with self-managed backend? Related Questions: • use one backend (e.g 1 S3 state file) or several ones • how to manage RBAC (per state, project and stack) • use AWS accounts for different environments (dev, staging, prod) or leverage stacks for those? • ...

Pulumi scopes the state of a specific stack by project if you use self-managed backends (e.g. S3). When deciding whether to use multiple backends, you need to think about stack references. Stack references do not work across different backends. Depending on whether you use different backends or not you could do the following for RBAC: If you're using different backends you can use the S3 path to represent organizational hierarchy and create the necessary IAM roles to grant teams only access to their designated prefix (e.g.

<s3://my-awesome-bucket/my-org/my-team>

). If you end up using the same backend you could establish a convention for the project name (e.g. ``my-org_my-team_my-project`). Then you could do the same prefix based IAM policies. For the account structure I'd recommend you to use multiple AWS accounts. The reason for that is 1) access control and 2) account wide quotas: • It's easier to prevent unallowed access to production systems that way. • Many AWS services have account wide quotas (Lambda for example) and that could cause impact across environments. For example, a load test in the dev environment could cause an outage in the prod environment if it reaches the Lambda concurrency limit of the account.

Thanks @quick-house-41860, that helps a lot!