Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
List of expensive / long-term effect AWS IAM actions
route53domains:RegisterDomain
route53domains:RenewDomain
route53domains:TransferDomain
ec2:ModifyReservedInstances
ec2:PurchaseHostReservation
ec2:PurchaseReservedInstancesOffering
ec2:PurchaseScheduledInstances
rds:PurchaseReservedDBInstancesOffering
dynamodb:PurchaseReservedCapacityOfferings
s3:PutObjectRetention
s3:PutObjectLegalHold
s3:BypassGovernanceRetention
s3:PutBucketObjectLockConfiguration
elasticache:PurchaseReservedCacheNodesOffering
redshift:PurchaseReservedNodeOffering
savingsplans:CreateSavingsPlan
aws-marketplace:AcceptAgreementApprovalRequest
aws-marketplace:Subscribe
shield:CreateSubscription
acm-pca:CreateCertificateAuthority
es:PurchaseReservedElasticsearchInstanceOffering
outposts:CreateOutpost
snowball:CreateCluster
s3-object-lambda:PutObjectLegalHold
s3-object-lambda:PutObjectRetention
glacier:InitiateVaultLock
glacier:CompleteVaultLock
es:PurchaseReservedInstanceOffering
backup:PutBackupVaultLockConfiguration
@7thstorm
Copy link

7thstorm commented Apr 22, 2021

care to elaborate please?

@iann0036
Copy link
Author

iann0036 commented Apr 22, 2021

These are IAM permissions that gate calls that could be potentially expensive or result in a long-term commitment.

@danquack
Copy link

danquack commented Apr 22, 2021

acm-pca:CreateCertificateAuthority at $400/month https://aws.amazon.com/certificate-manager/pricing/

@iann0036
Copy link
Author

iann0036 commented Apr 22, 2021

Nice @danquack, added.

@z0ph
Copy link

z0ph commented Apr 28, 2021

Maybe cloudfront:CreateDistribution

You pay $600 per month for each custom SSL certificate associated with one or more CloudFront distributions using the Dedicated IP version of custom SSL certificate support.

@z0ph
Copy link

z0ph commented Apr 28, 2021

@thebostik
Copy link

thebostik commented Apr 28, 2021

Thanks for sharing. For commitments, we additionally have es:PurchaseReservedElasticsearchInstanceOffering (Amazon Elasticsearch Service) on our list.

@iann0036
Copy link
Author

iann0036 commented Apr 28, 2021

@thebostik: Thanks, added!

@z0ph: That might be good if this moves to a more defined list with certain rules (i.e. no call over $500 or something). At that point we can convert it to an actual policy with conditionals etc.

@lorengordon
Copy link

lorengordon commented May 10, 2021

How about outposts:Create* and snowball:Create*?

@iann0036
Copy link
Author

iann0036 commented May 11, 2021

Thanks @lorengordon, added.

@tdmalone
Copy link

tdmalone commented Jun 4, 2021

Nice list - makes a good basis for an SCP in AWS Organizations covering, for example, otherwise unrestricted dev accounts.

@noamsdahan
Copy link

noamsdahan commented Jun 6, 2021

kendra:CreateIndex costs 7$ an hour and seems like a good addition to this list. (adds up to about 5K/month)
There is a free trial developer edition, but the "edition" parameter is optional in the API call and the default value is ENTERPRISE_EDITION. 🤦

@shotty1
Copy link

shotty1 commented Aug 18, 2021

"s3-object-lambda:PutObjectLegalHold"
"s3-object-lambda:PutObjectRetention"
I saw those in the IAM changelogs. Sounds dangerous ;-)

@iann0036
Copy link
Author

iann0036 commented Aug 18, 2021

Thanks @shotty1 ! Added.

@tdmalone
Copy link

tdmalone commented Aug 25, 2021

glacier:*VaultLock

@iann0036
Copy link
Author

iann0036 commented Aug 25, 2021

Thanks @tdmalone, added!

@ckabalan
Copy link

ckabalan commented Oct 8, 2021

@tdmalone FYI you can't use that with an SCP, you can only have wildcards at the END of a SCP. I tried similar with *ReservedInstance* and it does not work.

Note
In an SCP, the wildcard characters (*) and (?) in an Action or NotAction element can be used only by itself
or at the end of the string. It can't appear at the beginning or middle of the string. Therefore,
"servicename:action*" is valid, but "servicename:*action" and "servicename:some*action" are both invalid in SCPs.

Source: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html#scp-syntax-action

@shotty1
Copy link

shotty1 commented Oct 9, 2021

backup:PutBackupVaultLockConfiguration

@iann0036
Copy link
Author

iann0036 commented Oct 9, 2021

Thanks @shotty1 , added.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment