Last active
July 17, 2024 17:03
-
-
Save iann0036/b473bbb3097c5f4c656ed3d07b4d2222 to your computer and use it in GitHub Desktop.
List of expensive / long-term effect AWS IAM actions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
route53domains:RegisterDomain | |
route53domains:RenewDomain | |
route53domains:TransferDomain | |
ec2:ModifyReservedInstances | |
ec2:PurchaseHostReservation | |
ec2:PurchaseReservedInstancesOffering | |
ec2:PurchaseScheduledInstances | |
rds:PurchaseReservedDBInstancesOffering | |
dynamodb:PurchaseReservedCapacityOfferings | |
s3:PutObjectRetention | |
s3:PutObjectLegalHold | |
s3:BypassGovernanceRetention | |
s3:PutBucketObjectLockConfiguration | |
elasticache:PurchaseReservedCacheNodesOffering | |
redshift:PurchaseReservedNodeOffering | |
savingsplans:CreateSavingsPlan | |
aws-marketplace:AcceptAgreementApprovalRequest | |
aws-marketplace:Subscribe | |
shield:CreateSubscription | |
acm-pca:CreateCertificateAuthority | |
es:PurchaseReservedElasticsearchInstanceOffering | |
outposts:CreateOutpost | |
snowball:CreateCluster | |
s3-object-lambda:PutObjectLegalHold | |
s3-object-lambda:PutObjectRetention | |
glacier:InitiateVaultLock | |
glacier:CompleteVaultLock | |
es:PurchaseReservedInstanceOffering | |
backup:PutBackupVaultLockConfiguration | |
bedrock:CreateProvisionedModelThroughput | |
bedrock:UpdateProvisionedModelThroughput |
"s3-object-lambda:PutObjectLegalHold"
"s3-object-lambda:PutObjectRetention"
I saw those in the IAM changelogs. Sounds dangerous ;-)
Thanks @shotty1 ! Added.
glacier:*VaultLock
Thanks @tdmalone, added!
@tdmalone FYI you can't use that with an SCP, you can only have wildcards at the END of a SCP. I tried similar with *ReservedInstance*
and it does not work.
Note
In an SCP, the wildcard characters (*) and (?) in an Action or NotAction element can be used only by itself
or at the end of the string. It can't appear at the beginning or middle of the string. Therefore,
"servicename:action*" is valid, but "servicename:*action" and "servicename:some*action" are both invalid in SCPs.
backup:PutBackupVaultLockConfiguration
Thanks @shotty1 , added.
bedrock:CreateProvisionedModelThroughput
bedrock:UpdateProvisionedModelThroughput
https://aws.amazon.com/bedrock/pricing/
Provisioned Throughput pricing
An application developer, buys one model unit of Anthropic Claude Instant with 1-month commitment for their text summarization use case.
Total monthly cost incurred is 1 model unit * $39.60 * 24 hours * 31 days = $29,462.40
Thanks @sam-cox-tracebit, added.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
kendra:CreateIndex
costs 7$ an hour and seems like a good addition to this list. (adds up to about 5K/month)There is a free trial developer edition, but the "edition" parameter is optional in the API call and the default value is ENTERPRISE_EDITION. 🤦