This demo provisions IAM and S3 resources to demonstrate time-based, tag-scoped IAM access control.
dev-user-1 is a new developer hired April 1, 2026. They should have:
- Read/write access to
dev+ecommerceS3 bucket immediately - Read/write access to
stage+ecommerceS3 bucket only after 6 months (Oct 1, 2026) - No access to any other environment or team bucket
Install the AWS CLI: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
Install the terraform CLI: https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli
You will need an AWS IAM user with AdministratorAccess configured as a named profile. Set it as your default for the session:
export AWS_PROFILE=saraVerify it works:
aws sts get-caller-identityThe TF code does the following:
- Stages S3 resources that we'll use as test cases for our IAM resources.
- Creates the new user
dev-user-1. - Provisions the IAM group and policy to meet the following conditions:
- Initially the developer should be able to have read/write access to ecommerce objects in dev, but after 6 months of their hire date, the developer should be granted the same rights to the stage environment.
- Assume start date of April 1, 2026
- Adds user to the IAM group
Step 1 — Move into the tf directory:
cd tf/Step 2 — Initialize Terraform (downloads provider plugins):
terraform initStep 3 — Preview what will be created:
terraform planReview the output to confirm resources will be added before proceeding. A clean apply will show 19 to add.
Step 4 — Apply:
terraform apply -auto-approveStep 5 — Save your bucket suffix. Look at the apply output for any bucket name, e.g. dev-ecommerce-1273046786044266617. The number at the end is your suffix. Set it as a shell variable:
SUFFIX=<your-number-here>Step 6 — Create access keys for dev-user-1:
- Go to IAM → Users → dev-user-1 → Security credentials → Create access key → CLI
- Copy the Access Key ID and Secret Access Key
Step 7 — Configure the CLI profile:
aws configure --profile dev-user-1Step 8 — Upload a test file so buckets are not empty:
echo "test" > /tmp/test.txtaws --profile sara s3 cp /tmp/test.txt s3://dev-ecommerce-${SUFFIX}/test.txtaws --profile sara s3 cp /tmp/test.txt s3://stage-ecommerce-${SUFFIX}/test.txtStep 9 — Run the access tests. Run each line separately:
aws --profile dev-user-1 s3 ls s3://dev-ecommerce-${SUFFIX}Expected: succeeds, shows test.txt
aws --profile dev-user-1 s3 ls s3://dev-infra-${SUFFIX}Expected: AccessDenied
aws --profile dev-user-1 s3 ls s3://stage-ecommerce-${SUFFIX}Expected: AccessDenied (before Oct 1, 2026)
aws --profile dev-user-1 s3 ls s3://stage-neteng-${SUFFIX}Expected: AccessDenied
aws --profile dev-user-1 s3 ls s3://prod-ecommerce-${SUFFIX}Expected: AccessDenied
aws --profile dev-user-1 s3 ls s3://prod-security-${SUFFIX}Expected: AccessDenied
Step 10 — To test stage access without waiting until Oct 1, open variables.tf and change the date to a past value:
variable "stage_access_after" {
description = "Date after which the dev can access the stage bucket"
type = string
default = "2026-01-01T00:00:00Z"
}Step 11 — Re-apply:
terraform apply -auto-approveStep 12 — Retest stage access. Run each line separately:
aws --profile sara s3 cp /tmp/test.txt s3://stage-ecommerce-${SUFFIX}/test.txtaws --profile dev-user-1 s3 ls s3://stage-ecommerce-${SUFFIX}Expected: succeeds, shows test.txt
aws --profile dev-user-1 s3 ls s3://stage-neteng-${SUFFIX}Expected: AccessDenied (wrong team tag, never allowed)
Step 13 — Revert variables.tf back to the original date:
default = "2026-10-01T00:00:00Z"Re-apply:
terraform apply -auto-approveTo tear down and rebuild everything from scratch:
terraform destroyterraform initterraform apply -auto-approveNote: a new suffix will be generated — update your SUFFIX variable before re-running tests.
terraform destroy