I'm planning to develop a multi tenant platform based on the AWS stack. For each customer, let's call them customerA and customerB I want to create individual resources and restrict them that customerA can't see all stuff from customerB.
The first step to set up for the customer is to set up an IAM user with rights to manage all rights for the user. So I want to give the IAM user the rights to create IAM roles and policies and assign them to users but only for the ARN with the resource name customerA__* as prefix. This way it's possible to give the user the rights to create for example roles giving dynamoDB create table rights with a role name of customerA__rolename as planned but I want to further limit it that all roles also need to be bound to this scope, otherwise customerA__deleteTable could also be used to delete customerBs tables.
So in short: Is it possible to create an IAM role that limits all rights to have the name customerA__xyz and also to limit it's scope for each created role to resources with the name customerA__*
If it's not possible any other suggestions how to set up multi tenant rights for AWS? I don't want to create a separate AWS account for each customer for separation and I doubt this can be automated in a legal way.
Thanks in advance :)