How to restrict AWS IAM users so they can only manage their own resources?
Question:
I need to create around 500 AWS IAM users. The goal is to give them hands-on experience with AWS, mainly with EC2.
What I want is:
When a user creates a resource (like an EC2 instance, load balancer, etc.), that resource should only be available to that same user.
No other user should be able to view, modify, or delete another user’s resources.
For example, if User A launches an EC2 instance, only User A should be able to manage that instance, not User B.
I also plan to use Terraform to automate creating the IAM users and applying the necessary policies. Is Terraform a good choice for this setup?
I already tried working on this, but I’m still failing because when an EC2 instance is created, other resources (like volumes, network interfaces, etc.) are also automatically created. I believe those related resources also need to be tagged consistently; otherwise, the policy won’t work as expected.
So my question is: is this scenario actually doable with IAM policies and tagging, or do I need a different approach?
Question:
I need to create around 500 AWS IAM users. The goal is to give them hands-on experience with AWS, mainly with EC2.
What I want is:
When a user creates a resource (like an EC2 instance, load balancer, etc.), that resource should only be available to that same user.
No other user should be able to view, modify, or delete another user’s resources.
For example, if User A launches an EC2 instance, only User A should be able to manage that instance, not User B.
I also plan to use Terraform to automate creating the IAM users and applying the necessary policies. Is Terraform a good choice for this setup?
I already tried working on this, but I’m still failing because when an EC2 instance is created, other resources (like volumes, network interfaces, etc.) are also automatically created. I believe those related resources also need to be tagged consistently; otherwise, the policy won’t work as expected.
So my question is: is this scenario actually doable with IAM policies and tagging, or do I need a different approach?
