Which practice reduces blast radius and improves security in a multi-account design?

Network segmentation and defense-in-depth are essential to reduce blast radius in a multi-account AWS environment. Isolating workloads in separate VPCs per account creates hard boundaries so a breach in one workload cannot automatically access resources in another account. Interconnecting these VPCs through a controlled network like AWS Transit Gateway provides centralized, auditable traffic flow and policy enforcement instead of a flat network. Enforcing strict security groups and network ACLs at the VPC and interconnect boundaries further limits what traffic is allowed, reinforcing least privilege. Consolidating all workloads into a single VPC increases blast radius because a compromise can reach everything inside that VPC. Permissive security groups that allow all traffic defeat segmentation, and disabling VPCs per account erases the isolation provided by separate accounts. Therefore, isolating workloads per account and interconnecting them with a controlled network and strict boundary rules is the best approach to reduce blast radius and improve security.