IAM user allowed to deploy staging functions only

I just hired a new developer and I’m currently onboarding him.
I would like to create a IAM User with CLI access to allow him to deploy a Serverless project but only to the staging environment.
Any suggestion/template/role to do so?

Is your staging environment the same account as production environment? If so, that makes thigns tricky, I’d generally recommend keeping those in separate AWS environmens which makes this easier.

1 Like

The staging environment is a separate CloudFormation stack than the production environment but they are both on the same AWS account.
Are you suggesting to use an AWS account for staging and AWS account for production?
There isn’t anyway to do that with IAM Groups or Roles?

There are more then one way to do things and no one size fits all. But, it is definitely a huge management benefit to have separate accounts for production and the QA/test/dev account.

https://aws.amazon.com/answers/account-management/aws-multi-account-security-strategy/

At my company we have at least two accounts for each Account Team. Prod and Dev/test.

Keeps things nicely separated and easier to have higher levels of security for our prod accounts.

D