This is a really good question and I've seen it done successfully a few ways.
I'll start with most successful I've personally used https://twitter.com/landau_charles/status/1353025057753341954
I'll start with most successful I've personally used https://twitter.com/landau_charles/status/1353025057753341954
No matter what if you're using AWS you're going to need a few accounts at minimum.
The first is for learning/experimenting and should have rules to not allow anything to be public (s3, ec2, etc) and automatically wiped with something like cloud custodian
The first is for learning/experimenting and should have rules to not allow anything to be public (s3, ec2, etc) and automatically wiped with something like cloud custodian
The second account is pre-prod. This isn't for validating deployments (ci/cd, tests, etc give you confidence for safe deploys) but rather for making big changes to infrastructure and experiments
When it comes to resources inside the account I'm a big fan of Attribute Based Access Control (ABAC)
tl;dr your access to something depends on your role and what tags that resource had
https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html
tl;dr your access to something depends on your role and what tags that resource had
https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html
It gets a little tricky if you need selective deny for people but using multiple roles and allowing assume role is pretty common
ABAC can also work with multiple accounts via assume role and you can enforce roles only being able to create resources with specific tags
ABAC can also work with multiple accounts via assume role and you can enforce roles only being able to create resources with specific tags