The main reason for using separate accounts is to protect Production from the other environments/stages.
Having separate accounts for your environments is the recommended (by AWS) way to limit the “blast radius” of your applications and users. It means you can give your developers full access to a development account, and not have to worry about your production application(s) be impacted unintentionally. While you could theoretically limit access to stages/environments in the same account using IAM permissions, it would be very fiddly, error-prone, frustrating, and basically not worth the effort.
This separation is a must-have in most larger organisations. If you’re working in a smaller organisation, maybe you can get away with one account for everything, but in the long-run you’ll be much better off using multiple accounts - there’s not additional cost from the AWS side of things, and it will make you’re life much simpler (i.e. troubleshooting, reporting, etc).
I created different profiles in the config and credentials files, but when I deployed using a profile which I thought referred to a different account, it still deployed to the same account as my original profile. Where / how in serverless.yml do you specify the account that it should deploy to?
I’ve got multiple profiles configured and I can successfully use them as you stated (I’ve also got them configured to accept the command line option variable). The problem is that we use different AWS accounts for different stages – but even when I use the profile and credentials for the new account, when I run SLS deploy --profile it still ends up creating the project in the original account (even though the credentials for the devApd profile are in the new account…
Last time I checked there wasn’t a --profile option for sls deploy. You need to set the AWS_PROFILE environment variable. If you don’t then it uses the default profile.