Skip to content

Instantly share code, notes, and snippets.

@iann0036
Last active December 13, 2024 21:15
Show Gist options
  • Save iann0036/b473bbb3097c5f4c656ed3d07b4d2222 to your computer and use it in GitHub Desktop.
Save iann0036/b473bbb3097c5f4c656ed3d07b4d2222 to your computer and use it in GitHub Desktop.
List of expensive / long-term effect AWS IAM actions
route53domains:RegisterDomain
route53domains:RenewDomain
route53domains:TransferDomain
ec2:ModifyReservedInstances
ec2:PurchaseHostReservation
ec2:PurchaseReservedInstancesOffering
ec2:PurchaseScheduledInstances
rds:PurchaseReservedDBInstancesOffering
dynamodb:PurchaseReservedCapacityOfferings
s3:PutObjectRetention
s3:PutObjectLegalHold
s3:BypassGovernanceRetention
s3:PutBucketObjectLockConfiguration
elasticache:PurchaseReservedCacheNodesOffering
redshift:PurchaseReservedNodeOffering
savingsplans:CreateSavingsPlan
aws-marketplace:AcceptAgreementApprovalRequest
aws-marketplace:Subscribe
shield:CreateSubscription
acm-pca:CreateCertificateAuthority
es:PurchaseReservedElasticsearchInstanceOffering
outposts:CreateOutpost
snowball:CreateCluster
s3-object-lambda:PutObjectLegalHold
s3-object-lambda:PutObjectRetention
glacier:InitiateVaultLock
glacier:CompleteVaultLock
es:PurchaseReservedInstanceOffering
backup:PutBackupVaultLockConfiguration
bedrock:CreateProvisionedModelThroughput
bedrock:UpdateProvisionedModelThroughput
ses:PutDeliverabilityDashboardOption
@noamsdahan
Copy link

noamsdahan commented Jun 6, 2021

kendra:CreateIndex costs 7$ an hour and seems like a good addition to this list. (adds up to about 5K/month)
There is a free trial developer edition, but the "edition" parameter is optional in the API call and the default value is ENTERPRISE_EDITION. 🤦

@shotty1
Copy link

shotty1 commented Aug 18, 2021

"s3-object-lambda:PutObjectLegalHold"
"s3-object-lambda:PutObjectRetention"
I saw those in the IAM changelogs. Sounds dangerous ;-)

@iann0036
Copy link
Author

Thanks @shotty1 ! Added.

@tdmalone
Copy link

glacier:*VaultLock

@iann0036
Copy link
Author

Thanks @tdmalone, added!

@ckabalan
Copy link

ckabalan commented Oct 8, 2021

@tdmalone FYI you can't use that with an SCP, you can only have wildcards at the END of a SCP. I tried similar with *ReservedInstance* and it does not work.

Note
In an SCP, the wildcard characters (*) and (?) in an Action or NotAction element can be used only by itself
or at the end of the string. It can't appear at the beginning or middle of the string. Therefore,
"servicename:action*" is valid, but "servicename:*action" and "servicename:some*action" are both invalid in SCPs.

Source: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html#scp-syntax-action

@shotty1
Copy link

shotty1 commented Oct 9, 2021

backup:PutBackupVaultLockConfiguration

@iann0036
Copy link
Author

iann0036 commented Oct 9, 2021

Thanks @shotty1 , added.

@sam-cox-tracebit
Copy link

bedrock:CreateProvisionedModelThroughput
bedrock:UpdateProvisionedModelThroughput

https://aws.amazon.com/bedrock/pricing/

Provisioned Throughput pricing
An application developer, buys one model unit of Anthropic Claude Instant with 1-month commitment for their text summarization use case.
Total monthly cost incurred is 1 model unit * $39.60 * 24 hours * 31 days = $29,462.40

@iann0036
Copy link
Author

Thanks @sam-cox-tracebit, added.

@vstanimirovic
Copy link

vstanimirovic commented Sep 21, 2024

I've got one sneaky b*****d to be added to the list:
Amazon Pinpoint-Deliverability dashboard
https://aws.amazon.com/pinpoint/pricing/

The Deliverability Dashboard is available for a fixed price of USD $1,250 per month. This charge includes reputation monitoring for up to five domains and 25 predictive email placement tests.

Note: If you cancel your subscription before the end of a billing period, we continue to charge you for the remaining days in the billing period. However, we don't charge you for the next billing period.

@iann0036
Copy link
Author

Thanks, added ses:PutDeliverabilityDashboardOption.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment