All developers and testers are in the development account(account d). the production and testing environments are another account (account x) however in two different VPC's - VPC-P and VPC-T. How do I limit access to testers into the VPC-P while developers enjoying Access to VPC-P only. There are also other VPC's in Account X. And developers/testers need not have access to other stuff in the Account X.
It appears your situation is:
Account-D contains:
Account-X contains:
You want to allow 'testers' in Account-D to modify the settings on VPC-T.
You want to allow 'developers' in Account-D to modify the settings on VPC-P.
This does not appear to be possible. According to Actions, Resources, and Condition Keys for Amazon EC2 - AWS Identity and Access Management , only some actions can accept a VPC as a condition, such as:
ec2:CreateVpcPeeringConnection
ec2:CreateNetworkInterfacePermission
ec2:CreateRoute
Commands like CreateSubnet
and DeleteSubnet
do not allow any conditions.
Therefore, it would not be possible to restrict many VPC-related permissions to operate only on a specific VPC.
Given that you are dealing with testers and developers, I would recommend using separate AWS Accounts for each environment . Have one Account for Developers, where IAM Users and VPCs are defined. Have a separate AWS Account for Testers to ensure that they have no access into the Developers account. This creates a clean separation of environments.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.