How to allow IAM groups to create, see, and manage their own instances and nothing else?

amazon-web-services amazon-iam

I have a single AWS account I wish to use to manage all my AWS resources. However, I also want to create user groups that are allowed to create any resources they want under my account, and see and manage only those resources.

The ability to limit usage per group would be ideal, too, but not necessary.

Is this possible? If so, how?


Solution 1:

You can set up alert on billing if the monthly usage is more than $XX: CloudWatch -> Create Alarm -> Total Estimated Charge -> next -> select threshold etc.

I also want to create user groups that are allowed to create any resources they want under my account, and see and manage only those resources.

It is possible to allow to create any resource, then use Lambda and CloudWatch (both must be available in that region) to set proper tag (let's say tag team='dev') to the created resource. Then, allow to edit anything with the proper tag. Details can be found here

Another solution: allow access to specific region only, one region per team, if it makes sense from business point of view.

Another solution: create many accounts. Consolidated billing will let you see all expenses in one place whilst the environments will be separated.

Related

AWS CLI Config profile not found
Managing mass SQL Server ODBC Changes when migrating to a new SQL Server
bandwidth vs throughput in wired/wireless network
how to enable php4 only, no php5
Monitoring MongoDB 3.2 using Stackdriver in Google Compute Engine failed silently
Relay specific Exchange Mailbox to defined SMTP host
Server 2008 R2 Datacenter (and all other version) not detecting hardware
yum: memory alloc (12 bytes) returned NULL
How to look at what is going on in a pegged SQL Server instance?
OpenLDAP on Ubuntu 13.10
Upgrade key not present?
MMS gets hostname from uname and can't connect to it