AWS Credentials - What are multi region user/role management best practices?

In the past, I've usually had separate accounts for each region that I've worked in. These accounts had different IAM roles/etc, so there was very little chance I'd inadvertently mess up region A when working on region B and vice versa.

Recently, we deployed to another region within the same account. This means, without extra controls, just setting the default region differently on your CLI could have fairly disastrous consequences.

While IAM is global, is it generally recommended to have distinct uses per region / restrict which resources they can hit with policies, or is that overkill? Are there any good tools for helping you "not mess up" when running anything on the CLI? (including things like terraform)? Do you know any other "best practices" or good resources to learn about this particular area?

Start by reading this: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

Those are best-practices and do not take into account business policies.

I don't think having one account per region is more secure than having policies scoped by regions. In cli, you will have to specify the region in the command anyway (not sure if AWS cli uses a default region if you don't specify one in your credentials file).

StackExchange DevOps Q#11187, answer score: 2