How to allow IAM groups to create, see, and manage their own instances and nothing else?

I have a single AWS account I wish to use to manage all my AWS resources. However, I also want to create user groups that are allowed to create any resources they want under my account, and see and manage only those resources.

The ability to limit usage per group would be ideal, too, but not necessary.

Is this possible? If so, how?


Solution 1:

You can set up alert on billing if the monthly usage is more than $XX: CloudWatch -> Create Alarm -> Total Estimated Charge -> next -> select threshold etc.

I also want to create user groups that are allowed to create any resources they want under my account, and see and manage only those resources.

It is possible to allow to create any resource, then use Lambda and CloudWatch (both must be available in that region) to set proper tag (let's say tag team='dev') to the created resource. Then, allow to edit anything with the proper tag. Details can be found here

Another solution: allow access to specific region only, one region per team, if it makes sense from business point of view.

Another solution: create many accounts. Consolidated billing will let you see all expenses in one place whilst the environments will be separated.