Skip to content

Instantly share code, notes, and snippets.

@iann0036

iann0036/gist:b473bbb3097c5f4c656ed3d07b4d2222

Last active February 28, 2024 19:39
Show Gist options
  • Star 61 You must be signed in to star a gist
  • Fork 5 You must be signed in to fork a gist
  • Save iann0036/b473bbb3097c5f4c656ed3d07b4d2222 to your computer and use it in GitHub Desktop.
Save iann0036/b473bbb3097c5f4c656ed3d07b4d2222 to your computer and use it in GitHub Desktop.
Download ZIP
List of expensive / long-term effect AWS IAM actions
Raw
gistfile1.txt
route53domains:RegisterDomain
route53domains:RenewDomain
route53domains:TransferDomain
ec2:ModifyReservedInstances
ec2:PurchaseHostReservation
ec2:PurchaseReservedInstancesOffering
ec2:PurchaseScheduledInstances
rds:PurchaseReservedDBInstancesOffering
dynamodb:PurchaseReservedCapacityOfferings
s3:PutObjectRetention
s3:PutObjectLegalHold
s3:BypassGovernanceRetention
s3:PutBucketObjectLockConfiguration
elasticache:PurchaseReservedCacheNodesOffering
redshift:PurchaseReservedNodeOffering
savingsplans:CreateSavingsPlan
aws-marketplace:AcceptAgreementApprovalRequest
aws-marketplace:Subscribe
shield:CreateSubscription
acm-pca:CreateCertificateAuthority
es:PurchaseReservedElasticsearchInstanceOffering
outposts:CreateOutpost
snowball:CreateCluster
s3-object-lambda:PutObjectLegalHold
s3-object-lambda:PutObjectRetention
glacier:InitiateVaultLock
glacier:CompleteVaultLock
es:PurchaseReservedInstanceOffering
backup:PutBackupVaultLockConfiguration
bedrock:CreateProvisionedModelThroughput
bedrock:UpdateProvisionedModelThroughput
@tdmalone
Copy link

glacier:*VaultLock

@iann0036
Copy link
Author

Thanks @tdmalone, added!

@ckabalan
Copy link

ckabalan commented Oct 8, 2021
edited

@tdmalone FYI you can't use that with an SCP, you can only have wildcards at the END of a SCP. I tried similar with *ReservedInstance* and it does not work.

Note
In an SCP, the wildcard characters (*) and (?) in an Action or NotAction element can be used only by itself
or at the end of the string. It can't appear at the beginning or middle of the string. Therefore,
"servicename:action*" is valid, but "servicename:*action" and "servicename:some*action" are both invalid in SCPs.

Source: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html#scp-syntax-action

@shotty1
Copy link

shotty1 commented Oct 9, 2021

backup:PutBackupVaultLockConfiguration

@iann0036
Copy link
Author

iann0036 commented Oct 9, 2021

Thanks @shotty1 , added.

@sam-cox-tracebit
Copy link 

bedrock:CreateProvisionedModelThroughput
bedrock:UpdateProvisionedModelThroughput

https://aws.amazon.com/bedrock/pricing/

Provisioned Throughput pricing
An application developer, buys one model unit of Anthropic Claude Instant with 1-month commitment for their text summarization use case.
Total monthly cost incurred is 1 model unit * $39.60 * 24 hours * 31 days = $29,462.40

@iann0036
Copy link
Author

Thanks @sam-cox-tracebit, added.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment