No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

I’d check this:
<https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html>

Basically, there’s no “native way” (or at least I don’t know any) to protect the resources from being altered by other users. However, you can always limit user permissions so they can only use existing resources but cannot create/edit/delete anything.

In my case (GCP), only devops engineers have sufficient permissions to edit cloud resources. The rest of developers have only read-only access (if any) to GCP.

I haven’t introduced condition-based policies (solution from the first link) and I have very little experience in that matter but it might allow you to configure more granular permission scheme.

If you want to get fancy with it, you can ensure Pulumi actions are only executed by a single IAM principal (user or role), and then create an AWS Config rule that checks Cloudtrail for any API actions not executed by that user and take whatever corrective action you want (alert you via Slack, etc).