Account is the permissions boundary. Account is also a blast radius boundary. Although you can do some IAM conditionals based on tags it is complex and doesn't work for all cases / all services. You want to use an account per app or even smaller. With smaller accounts, the side effect is you are going to have a lot of accounts. They need to be automated in creation and deletion of accounts. This also can create a lot of VPC's unless you share them. You also have to connect the VPC's through peering or TGW.

When designing your account structure and connectivity for all your cloud applications.

AWS Account

High

AWS

Mark Andersen