Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
List of expensive / long-term effect AWS IAM actions
route53domains:RegisterDomain
route53domains:RenewDomain
route53domains:TransferDomain
ec2:ModifyReservedInstances
ec2:PurchaseHostReservation
ec2:PurchaseReservedInstancesOffering
ec2:PurchaseScheduledInstances
rds:PurchaseReservedDBInstancesOffering
dynamodb:PurchaseReservedCapacityOfferings
s3:PutObjectRetention
s3:PutObjectLegalHold
s3:BypassGovernanceRetention
s3:PutBucketObjectLockConfiguration
elasticache:PurchaseReservedCacheNodesOffering
redshift:PurchaseReservedNodeOffering
savingsplans:CreateSavingsPlan
aws-marketplace:AcceptAgreementApprovalRequest
aws-marketplace:Subscribe
shield:CreateSubscription
acm-pca:CreateCertificateAuthority
es:PurchaseReservedElasticsearchInstanceOffering
outposts:CreateOutpost
snowball:CreateCluster
s3-object-lambda:PutObjectLegalHold
s3-object-lambda:PutObjectRetention
glacier:InitiateVaultLock
glacier:CompleteVaultLock
es:PurchaseReservedInstanceOffering
@7thstorm

This comment has been minimized.

Copy link

@7thstorm 7thstorm commented Apr 22, 2021

care to elaborate please?

@iann0036

This comment has been minimized.

Copy link
Owner Author

@iann0036 iann0036 commented Apr 22, 2021

These are IAM permissions that gate calls that could be potentially expensive or result in a long-term commitment.

@danquack

This comment has been minimized.

Copy link

@danquack danquack commented Apr 22, 2021

acm-pca:CreateCertificateAuthority at $400/month https://aws.amazon.com/certificate-manager/pricing/

@iann0036

This comment has been minimized.

Copy link
Owner Author

@iann0036 iann0036 commented Apr 22, 2021

Nice @danquack, added.

@z0ph

This comment has been minimized.

Copy link

@z0ph z0ph commented Apr 28, 2021

Maybe cloudfront:CreateDistribution

You pay $600 per month for each custom SSL certificate associated with one or more CloudFront distributions using the Dedicated IP version of custom SSL certificate support.

@z0ph

This comment has been minimized.

Copy link

@z0ph z0ph commented Apr 28, 2021

@thebostik

This comment has been minimized.

Copy link

@thebostik thebostik commented Apr 28, 2021

Thanks for sharing. For commitments, we additionally have es:PurchaseReservedElasticsearchInstanceOffering (Amazon Elasticsearch Service) on our list.

@iann0036

This comment has been minimized.

Copy link
Owner Author

@iann0036 iann0036 commented Apr 28, 2021

@thebostik: Thanks, added!

@z0ph: That might be good if this moves to a more defined list with certain rules (i.e. no call over $500 or something). At that point we can convert it to an actual policy with conditionals etc.

@lorengordon

This comment has been minimized.

Copy link

@lorengordon lorengordon commented May 10, 2021

How about outposts:Create* and snowball:Create*?

@iann0036

This comment has been minimized.

Copy link
Owner Author

@iann0036 iann0036 commented May 11, 2021

Thanks @lorengordon, added.

@tdmalone

This comment has been minimized.

Copy link

@tdmalone tdmalone commented Jun 4, 2021

Nice list - makes a good basis for an SCP in AWS Organizations covering, for example, otherwise unrestricted dev accounts.

@noamsdahan

This comment has been minimized.

Copy link

@noamsdahan noamsdahan commented Jun 6, 2021

kendra:CreateIndex costs 7$ an hour and seems like a good addition to this list. (adds up to about 5K/month)
There is a free trial developer edition, but the "edition" parameter is optional in the API call and the default value is ENTERPRISE_EDITION. 🤦

@shotty1

This comment has been minimized.

Copy link

@shotty1 shotty1 commented Aug 18, 2021

"s3-object-lambda:PutObjectLegalHold"
"s3-object-lambda:PutObjectRetention"
I saw those in the IAM changelogs. Sounds dangerous ;-)

@iann0036

This comment has been minimized.

Copy link
Owner Author

@iann0036 iann0036 commented Aug 18, 2021

Thanks @shotty1 ! Added.

@tdmalone

This comment has been minimized.

Copy link

@tdmalone tdmalone commented Aug 25, 2021

glacier:*VaultLock

@iann0036

This comment has been minimized.

Copy link
Owner Author

@iann0036 iann0036 commented Aug 25, 2021

Thanks @tdmalone, added!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment