You need multiple accounts, and that has always been the best practice: [1] and [2].
Where are you keeping your Cloudtrail logs? On a Bucket on the same account!!?
That is the first thing that will be wiped out, in case of a security compromise of the role, or user, that set it up.
You can also, and should, use AWS Organizations for consolidated billing [3].
Even without AWS Organizations, with a single account, particularly at an Enterprise level, you are just a step away from loosing everything. And the reason why you might loose everything, has nothing to do, with the best practice of only using the root user, (with MFA) only for the very few required tasks that force you to use the root user. [4]
One possible scenario, is if for example, the persons that have acess to the root user credentials, ( and there always be some...) are going rouge, blackmailed, or getting compromised in another way. All gone, including your remote backups in other regions...
S3 Object Lock [5] will mitigate the risks of a compromised root user but don't use only one account. Have more than one, even for your personal projects.
You need multiple accounts, and that has always been the best practice: [1] and [2].
Where are you keeping your Cloudtrail logs? On a Bucket on the same account!!? That is the first thing that will be wiped out, in case of a security compromise of the role, or user, that set it up.
You can also, and should, use AWS Organizations for consolidated billing [3].
Even without AWS Organizations, with a single account, particularly at an Enterprise level, you are just a step away from loosing everything. And the reason why you might loose everything, has nothing to do, with the best practice of only using the root user, (with MFA) only for the very few required tasks that force you to use the root user. [4]
One possible scenario, is if for example, the persons that have acess to the root user credentials, ( and there always be some...) are going rouge, blackmailed, or getting compromised in another way. All gone, including your remote backups in other regions...
S3 Object Lock [5] will mitigate the risks of a compromised root user but don't use only one account. Have more than one, even for your personal projects.
[1] - "Benefits of using multiple AWS accounts" - https://docs.aws.amazon.com/whitepapers/latest/organizing-yo...
[2] - "Organizing Your AWS Environment Using Multiple Accounts" - https://docs.aws.amazon.com/whitepapers/latest/organizing-yo...
[3] - "Consolidated billing for AWS Organizations" - https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2...
[4] - "Tasks that require root user credentials" - https://docs.aws.amazon.com/accounts/latest/reference/root-u...
[5] - "Protecting data with Amazon S3 Object Lock" - https://aws.amazon.com/pt/blogs/storage/protecting-data-with...