All posts
Platform EngineeringAWSTerraformDevOps

Stop Filing Tickets for AWS Accounts

How Account Vending Machines Changed Our Platform Team

Luke Halley

Luke Halley

Cloud Developer

January 15, 2026
8 min read

Two weeks.

That's how long developers waited for a new AWS account at one organization I worked with. File a ticket. Wait for approval. Wait for the cloud team. Wait for networking. Wait for security review. Wait for someone to remember the ticket existed.

At another, developers get production-ready AWS accounts in 4 minutes. No tickets. No waiting. No cloud team bottleneck.

The difference? An Account Vending Machine.

The Old Way Is Broken

If your organization has more than a handful of AWS accounts, you've probably experienced this:

  • Developer needs isolated environment for new project
  • Files request with cloud/platform team
  • Cloud team is backlogged with 47 other requests
  • Account gets created... eventually
  • Developer realizes networking isn't configured
  • Another ticket. Another wait.
  • Security guardrails missing. Another ticket.
  • Developer rage-quits and uses their personal AWS account

    • This doesn't scale. At 100+ accounts, it completely breaks down.

    What's an Account Vending Machine?

    An AVM is self-service infrastructure for AWS accounts. Developers request what they need through a form or API. Automation handles everything else:

  • Account creation in AWS Organizations
  • OU placement based on workload type
  • Networking (VPC, subnets, Transit Gateway attachments)
  • Security baselines (GuardDuty, Security Hub, Config rules)
  • IAM roles and SSO integration
  • Cost allocation tags
  • Budget alerts

    • The developer gets a fully configured, compliant, production-ready account. The platform team gets audit logs and central governance. Everyone wins.

    Architecture That Actually Works

    Here's what we built:

    hcl
    # Simplified account request
module "new_account" {
  source = "./modules/account-vending"

  account_name     = "project-phoenix-dev"
  account_email    = "aws+phoenix-dev@company.com"
  organizational_unit = "workloads/development"

  environment = "development"
  cost_center = "engineering"
  owner       = "phoenix-team@company.com"

  network_config = {
    vpc_cidr           = "10.42.0.0/16"
    availability_zones = ["ap-southeast-2a", "ap-southeast-2b"]
    enable_nat_gateway = true
    transit_gateway_id = data.aws_transit_gateway.main.id
  }

  security_baseline = "standard"  # or "pci", "hipaa"
}

    Behind this simple interface:

    1. AWS Service Catalog

    Service Catalog provides the self-service portal. Developers browse a catalog of account types (dev, staging, production, sandbox) and fill in parameters. No Terraform knowledge required.

    2. Step Functions Orchestration

    Account creation involves ~15 sequential and parallel operations. Step Functions coordinates:

  • CreateAccount API call
  • Wait for account to become available
  • Move to correct OU
  • Assume role into new account
  • Deploy baseline CloudFormation/Terraform
  • Configure networking
  • Enable security services
  • Send notification

    • 3. Control Tower or Custom Landing Zone

    We use AWS Control Tower for guardrails, but custom landing zones work too. The key is having:

  • Centralized logging account
  • Security/audit account
  • Network hub account
  • Consistent OU structure

    • 4. Terraform for Everything Else

    Once the account exists, Terraform modules deploy:

    hcl
    # Baseline module applied to every account
module "account_baseline" {
  source = "git::https://github.com/org/terraform-modules.git//account-baseline"

  providers = {
    aws = aws.new_account
  }

  account_id   = aws_organizations_account.this.id
  account_name = var.account_name
  environment  = var.environment

  # Security
  enable_guardduty     = true
  enable_security_hub  = true
  enable_config_rules  = true

  # Networking
  vpc_config = var.network_config

  # IAM
  sso_permission_sets = var.sso_permission_sets
}

    The 4-Minute Account

    Here's what happens when a developer clicks "Request Account":

    TimeAction
    0:00Developer submits request via Service Catalog
    0:05Step Function triggers, calls CreateAccount API
    0:30Account created, moved to target OU
    1:00Control Tower guardrails applied automatically
    1:30Terraform baseline begins (VPC, IAM, security)
    3:00Transit Gateway attachment completes
    3:30SSO permission sets assigned
    4:00Developer receives Slack notification with console link

    From "I need an account" to "I'm deploying code" in 4 minutes.

    Lessons From 100+ Accounts

    Email Addresses Are Permanent

    AWS account emails can't be changed after creation. We use a pattern:

    code
    aws+{account-name}@company.com

    Gmail-style plus addressing means all emails route to one inbox, but each account has a unique address.

    CIDR Planning Is Critical

    Running out of IP space is painful. We allocate /16 blocks per environment type from a master IPAM:

    code
    10.0.0.0/8   → Production
10.64.0.0/10 → Staging
10.128.0.0/10 → Development
10.192.0.0/10 → Sandbox

    Each account gets a /16 within its environment block. Plenty of room.

    Cost Visibility From Day One

    Every account gets:

  • Budget alert at 80% of projected monthly
  • Cost allocation tags (mandatory via SCP)
  • Automatic tagging of all resources
  • Weekly cost report to owner email

    • Developers see their costs. Costs go down.

    Break Glass Procedures

    Automation handles 99% of cases. For the 1%:

  • Document manual override procedures
  • Require two-person approval for manual changes
  • Log everything to immutable audit trail
  • Run drift detection daily

    • What Platform Engineering Actually Means

    Platform engineering isn't about building platforms for the sake of it. It's about removing friction while maintaining governance.

    The account vending machine embodies this:

  • Developers get speed: 4 minutes instead of 2 weeks
  • Security gets compliance: Every account has guardrails from minute one
  • Finance gets visibility: Cost attribution is automatic
  • Platform team gets time back: No more account creation tickets

    • This is the shift from "gatekeeper" to "enabler."

    Start Simple

    You don't need to build everything at once. Start with:

  • Standardize account structure: Define your OU hierarchy
  • Automate one thing: Maybe just account creation with basic networking
  • Add security baselines: GuardDuty, Config, basic IAM
  • Iterate: Add features based on developer feedback

    • The goal isn't perfection. It's eliminating the 2-week wait.

    Managing 100+ AWS accounts taught me that scale requires self-service. If your cloud team is drowning in tickets, an account vending machine might be your life raft.