> My favorite way to create a network between all my services hosted in different AWS accounts is to share a VPC from a network account into all my service accounts and use security groups to authorize service-to-service communication. There’s no per-byte tax, zonal architectures are easy to reason about, and security groups work just like you expect.
That's gold advice. I wish AWS RAM supported more services (like AWS EKS).
A small complain: working with AWS SSO is a bit tedious. My current solution is to share my ~/aws/config with everyone so we all have the same profile names and scripts can work for everyone.
Why can't the CLI generate the config if I can see all the accounts and roles in the SSO start page? That's a desperately needed feature.
I would love to see a browser extension for SSO account tabs if AWS can't solve it natively.