1

I have a single AWS account I wish to use to manage all my AWS resources. However, I also want to create user groups that are allowed to create any resources they want under my account, and see and manage only those resources.

The ability to limit usage per group would be ideal, too, but not necessary.

Is this possible? If so, how?

Gui Prá
  • 121
  • 6
  • 1
    Multiple accounts, with consolidated billing. http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/consolidated-billing.html – ceejayoz Jul 12 '16 at 17:18
  • @ceejayoz, do you know if budgets can be used to set hard usage limits per account, or are they only useful for setting usage threshold alarms? Thanks for mentioning consolidated billing, I think this is what I was looking for :) – Gui Prá Jul 12 '16 at 17:45
  • 2
    @n2liquid At least you can set up alert on billing if the monthly usage is more than $XX – Putnik Jul 12 '16 at 17:46
  • 1
    @n2liquid I'm not aware of Amazon providing any ability to limit bills. You could pay with a prepaid credit card, but they'd send you to collections. Billing alerts as mentioned by Putnik are likely the closest you can get. You could conceivably write some code to receive those alerts and shut down instances and/or revoke IAM credentials, but that'd get complex fast. – ceejayoz Jul 12 '16 at 17:59
  • One of you should answer the question with all this information from the comments to get some points and make sure people stumbling upon this question can easily find good answers :) – Gui Prá Jul 12 '16 at 18:30

1 Answers1

1

You can set up alert on billing if the monthly usage is more than $XX: CloudWatch -> Create Alarm -> Total Estimated Charge -> next -> select threshold etc.

I also want to create user groups that are allowed to create any resources they want under my account, and see and manage only those resources.

It is possible to allow to create any resource, then use Lambda and CloudWatch (both must be available in that region) to set proper tag (let's say tag team='dev') to the created resource. Then, allow to edit anything with the proper tag. Details can be found here

Another solution: allow access to specific region only, one region per team, if it makes sense from business point of view.

Another solution: create many accounts. Consolidated billing will let you see all expenses in one place whilst the environments will be separated.

Putnik
  • 2,217
  • 4
  • 27
  • 43
  • Thanks! I guess this warrants another question then, I hope someone knows the answer: http://serverfault.com/questions/789603/how-to-require-user-groups-to-add-a-fixed-tag-when-creating-resources – Gui Prá Jul 13 '16 at 15:10
  • @n2liquid Updated answer, added auto-tagging – Putnik Aug 17 '16 at 11:03