Basically, there’s no “native way” (or at least I don’t know any) to protect the resources from being altered by other users. However, you can always limit user permissions so they can only use existing resources but cannot create/edit/delete anything.
In my case (GCP), only devops engineers have sufficient permissions to edit cloud resources. The rest of developers have only read-only access (if any) to GCP.
I haven’t introduced condition-based policies (solution from the first link) and I have very little experience in that matter but it might allow you to configure more granular permission scheme.
10/18/2021, 3:25 PM
10/18/2021, 8:23 PM
If you want to get fancy with it, you can ensure Pulumi actions are only executed by a single IAM principal (user or role), and then create an AWS Config rule that checks Cloudtrail for any API actions not executed by that user and take whatever corrective action you want (alert you via Slack, etc).