Hi,
I was just about to try to figure this out, and I wanted to check if anyone had designed a way to limit the updating and deletion of a specific production stage.
I suspect that, after the initial stage creation, I could manually alter the default IAM role for developers to not allow access to all of the specific resources defined by our production stages. Then, I could create a separate role that allows access to the resources, and I could assign that role on an as-needed basis to the developer entrusted with updating the production stage. This would also protect from folks logged into the console from accidentally or maliciously deleting resources related to the production stage. What I’m concerned about is the effort involved in doing this manually - I wanted to make sure I wasn’t overlooking a more automated approach people were doing.
Thanks in advance for any advice you might be able to give!