Restricting user access to AWS resources within an account

Question

We have 2 AWS accounts prod and non-prod. Currently there are 2 teams using the non-prod accounts. 
Team A owns Workload A and Team B owns workload B.
What options do we have to restrict Team B from accessing/updating resources provisioned /owned by Team A and vice versa. We know we can isolate by creating separate non-prod accounts for team A and B but what other options are available to restrict access.
A good example if Team A owns an S3 bucket then it is fine for Team B to be able to view the S3 bucket but not have privileges to read/update contents.

Answer

ABAC - Attribute Based Access Control may also be used here. In ABAC, you tag the resources and allow only IAM users with specific tag to access that resource. For example, you can map Workload A with a tag called "CreatedBy: Team A" and then have the same tag mapped to IAM users of Team A; then only Team A can access Workload A.

Please refer the following documentation for further details https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html

Please refer the following documentation for further details
https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html

Answer

There are multiple ways to define access to resources within AWS. For instance, permissions for Amazon S3 objects can be configured using a combination of S3 bucket policies, user policies and object ACLs to achieve a complex mix of different access permissions in the same bucket. 
Please review 'Policies and Permissions within IAM' - https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html & 'Identity and access management in Amazon S3' - https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html for more details.

Restricting user access to AWS resources within an account

Relevant content