Environment based Elastic Beanstalk access

Working on the e-commerce platform project recently, I faced a problem, how to gain one group of engineers' capability to modify the staging environment of one beanstalk application and don't have the visibility and possibility to change the production environment.

The tricky part is the product application structure. Each application consists of two environments – production and staging. I found many examples of isolating the whole application but couldn't find a working per-environment example.

The solution appears to be pretty trivial - custom AWS IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:ListPlatformBranches",
                "elasticbeanstalk:DescribeAccountAttributes",
                "elasticbeanstalk:CreateStorageLocation",
                "elasticbeanstalk:CheckDNSAvailability"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "elasticbeanstalk:*",
            "Resource": [
                "arn:aws:elasticbeanstalk:*:581834185153:environment/ENV_STAGING_NAME/*",
                "arn:aws:elasticbeanstalk:*:581834185153:applicationversion/*/*",
                "arn:aws:elasticbeanstalk:*::solutionstack/*"
            ]
        },
        {
            "Action": [
                "logs:DescribeLogGroups"
            ],
            "Resource": "arn:aws:logs:eu-central-1:*:*",
            "Effect": "Allow"
        }
    ]
}

ENV_STAGING_NAME rename this one to your application name or use a wildcard combination following any release tags in the environment naming.

After attach the policy to the engineering group or individuals, and that's it!