I have found a few articles/post that discuss this issue, but no definitive solution that will meet my needs.
My company uses an AWS Landing Zone with SSO. To date, the cloud team has been creating IAM roles/policies that are required by developers to experiment with services and create proofs-of-concept, however, developers have raise that this is too slow/restrictive and requested the ability to create the IAM policies/roles they need in their development account. I am in the tricky situation of preserving the integrity of our AWS environment while not inhibiting developer experimentation and innovation.
Is there a recommended approach to managing this? I had thought of only allowing passing of roles prefixed with a path of "dev/" for example, but this doesn't address creating new roles or policies where developers could allow iam:/resource:. I would also like to provision a new sandbox account that is disconnected from the rest of the environment (network, local IAM users rather than SSO) to reduce the blast radius of any developer misconfiguration. The only tie back to the company would be that billing is consolidated under the company AWS organization.
Currently, developers have been assigned PowerUser access plus some key IAM actions such as PassRole in their development account. Most of our developers are new to AWS so managing this via the console is preferable for this sandbox account (rather than via a CI/CD pipeline).
Any suggestions appreciated!
Thanks, John
Some tips regarding how my company is addressing part of your concerns (The company is an enterprise with dedicated architectural support from Amazon. I have no idea if they are strictly following what Amazon suggests though, so keep that in mind)