What are our AWS accounts?
Last updated
Last updated
We split our resources into a number of different AWS accounts, to provide a degree of isolation between unrelated services.
These accounts are managed under an owned by Wellcome. This page lists all of the Wellcome Collection accounts, and there's a list of all of Wellcome's accounts .
This is our original AWS account.
This is meant to be used for infrastructure which is shared across the platform, but it also contains some resources that predate our use of multiple accounts (e.g. our CI infrastructure, shared IAM roles). Ideally we'd like to put those resources into dedicated accounts, but moving resources between accounts is complicated!
Everything for the catalogue API, including both the API itself and some data pipelines.
The catalogue pipeline doesn't run in this account; it still runs in the platform account. Ideally it would run here, but it's a big job to move it.
Data science services.
This has mostly been used for prototyping and experiments, not any public-facing or permanent infrastructure.
Everything managed by Digirati, including DLCS and iiif-builder.
This account just has some S3 buckets used by the Digital Production team.
The front-end web apps for wellcomecollection.org.
The naming is somewhat legacy – there used to be a team called "Digital Experience" that was responsible for these apps. That team hasn't existed for a while, but the name is hard to change.
Services involved in library account management.
These services all touch personally identifiable information (PII) in the form of user logins and library patron data. This is an example of why we run services in different accounts – these services are isolated from the rest of the platform, to reduce the risk of PII accidentally leaking.
Services for populating the reporting cluster, which we use for in-house data analytics, dashboards, and so on.
This account includes both the S3 buckets that are the permanent storage, and the services that populate them.
Goobi and Archivematica. These are sometimes referred to as "workflow" systems, hence the account name.
There are a couple of accounts that predate the current platform team. These accounts still exist and have some resources in them, but we might want to clean them up at some point.
Although they predate the platform, they do have our standard set of IAM roles for easy access.
An account with some old Wellcome Collection microsites.
Another old account, used for mostly-deprecated services. The only thing left in this account is the old Medical Officer of Health (MOH) reports.
This account is owned by Wellcome Trust rather than Wellcome Collection, and it's where all the DNS records are managed. We can get access to this account from the platform-superdev initial role by assuming the following role:
and then you can see the DNS records in Route 53 for:
(You can't find the hosted zone in the Route 53 console because we don't have the ListHostedZones permission – some of them are for domains we don't control.)
For historical reference, these are accounts we used to have but have since closed:
241906670800 / dam_prototype – used for testing a prototype of the storage service (dam as in DAMS, short for Digital Asset Management System, which is a bit of jargon from the cultural heritage sector)
656287925160 – used for some early Digital Platform testing and as the root of a Wellcome Collection-specific AWS Organization. All our accounts were later moved into the Wellcome Trust Organization, so this account was closed. Our accounts are now in the Wellcome Trust Organization, so this account was unused.
353326981479 – another now-closed account used for early platform testing.
The , which houses the permanent digital collections.
There's a that's tracking the gradual deletion of resources in this account.
The root email address for this account is , which is a shared inbox.
wellcomecollection.org ()
wellcomeimages.org (, )
wellcomelibrary.org (, )*