April 15, 2026 · plainfra

AWS Multi-Account Infrastructure Report: Five Accounts, One View

When your AWS environment spans multiple accounts — production, staging, shared services, sandbox — the hardest problem isn't finding issues. It's seeing everything together in one place, understanding which account is the biggest risk, and knowing what to fix first.

This page walks through a real example of a plainfra cross-account weekly health report covering five accounts. It's the format delivered to Team plan customers every week.

The scenario

Meridian Logistics Pty Ltd is an Australian supply-chain SaaS company. Their AWS environment spans five accounts: production, ingestion (EDI/API intake), hub (shared services), uat, and sandbox. Total monthly spend: $17,497.

Overall status: RED

The report opens with a single RAG status for the entire environment — driven by the most serious finding across all accounts. Each account then gets its own status:

• production — RED (2 critical findings)
• ingestion — AMBER (1 critical, 3 warnings)
• hub — AMBER (2 warnings — 2 resolved since last week)
• uat — GREEN (3 warnings, no criticals)
• sandbox — AMBER (4 warnings)

Executive summary

The AI writes a plain-English summary of what changed, what got fixed, what got worse, and what's new — in the time it takes to read a text message. This week's reads:

> Total cost across five accounts is $17,497/month — up $290 from last week. One production certificate is now 11 days from expiry. Two items resolved since last week: Jenkins and Nexus instances in hub now have auto-stop schedules (recovering ~$340/month), and the hub IAM password policy has been corrected. Three new findings: worsening SQS DLQ backlog in ingestion, Kinesis approaching throttle, and IAM Identity Centre absent across all accounts.

Production — RED

Warnings: RDS storage at 87%; three IAM users with console access and no MFA; no CloudWatch alarms on RDS.

30-day cost: $9,240

Ingestion — AMBER

Warnings: Lambda with no dead-letter queue; Kinesis stream at 89% shard utilisation; CloudTrail not enabled.

30-day cost: $3,870

Hub — AMBER (2 resolved since last week)

Jenkins and Nexus instances now have auto-stop schedules — ~$340/month recovered. IAM password policy corrected.

Remaining: NAT Gateway in a single AZ; four security groups with unrestricted egress.

30-day cost: $1,840 (down $340 from last week)

UAT — GREEN

Three low-priority warnings: stopped EC2 instances with EBS volumes still billing (~$85/month); oversized RDS at 6% average CPU; seven S3 buckets with no lifecycle policies.

30-day cost: $1,340

Sandbox — AMBER

Four open warnings since initial scan: no IAM password policy; no CloudTrail; 8 EC2 dev instances running 24/7 (up to $520/month saving at on-demand rates if scheduled); no AWS Budgets — cost grew 39% in one week with no alert fired.

30-day cost: $1,207

Cross-account findings

Cost accuracy

All billed totals come directly from AWS Cost Explorer — exact figures, not estimates. For savings estimates on running compute, the report checks Savings Plan and Reserved Instance coverage first. If your compute is substantially covered by a commitment, estimates are qualified accordingly. This is a deliberate difference from AWS Trusted Advisor, which quotes savings at on-demand list prices regardless of your actual coverage.

Download

Single-account examples: production account (RED) · sandbox account (AMBER)