SCP to deny potentially expensive and/or long-running AWS IAM actions

potentially-expensive-actions.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PotentiallyExpensiveActions",
      "Effect": "Deny",
      "Action": [
        "acm-pca:CreateCertificateAuthority",
        "aws-marketplace:AcceptAgreementApprovalRequest",
        "aws-marketplace:Subscribe",
        "backup:PutBackupVaultLockConfiguration",
        "bedrock:CreateProvisionedModelThroughput",
        "bedrock:InvokeAgent",
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream",
        "dynamodb:PurchaseReservedCapacityOfferings",
        "ec2:ModifyReservedInstances",
        "ec2:PurchaseHostReservation",
        "ec2:PurchaseReservedInstancesOffering",
        "ec2:PurchaseScheduledInstances",
        "elasticache:PurchaseReservedCacheNodesOffering",
        "es:PurchaseReservedElasticsearchInstanceOffering",
        "es:PurchaseReservedInstanceOffering",
        "glacier:CompleteVaultLock",
        "glacier:InitiateVaultLock",
        "outposts:CreateOutpost",
        "rds:PurchaseReservedDBInstancesOffering",
        "redshift:PurchaseReservedNodeOffering",
        "route53domains:RegisterDomain",
        "route53domains:RenewDomain",
        "route53domains:TransferDomain",
        "s3-object-lambda:PutObjectLegalHold",
        "s3-object-lambda:PutObjectRetention",
        "s3:BypassGovernanceRetention",
        "s3:PutBucketObjectLockConfiguration",
        "s3:PutObjectLegalHold",
        "s3:PutObjectRetention",
        "savingsplans:CreateSavingsPlan",
        "shield:CreateSubscription",
        "snowball:CreateCluster"
      ],
      "Resource": "*"
    }
  ]
}

potentially-expensive-aws-iam-actions.txt

acm-pca:CreateCertificateAuthority
aws-marketplace:AcceptAgreementApprovalRequest
aws-marketplace:Subscribe
backup:PutBackupVaultLockConfiguration
bedrock:CreateProvisionedModelThroughput
bedrock:InvokeAgent
bedrock:InvokeModel
bedrock:InvokeModelWithResponseStream	
dynamodb:PurchaseReservedCapacityOfferings
ec2:ModifyReservedInstances
ec2:PurchaseHostReservation
ec2:PurchaseReservedInstancesOffering
ec2:PurchaseScheduledInstances
elasticache:PurchaseReservedCacheNodesOffering
es:PurchaseReservedElasticsearchInstanceOffering
es:PurchaseReservedInstanceOffering
glacier:CompleteVaultLock
glacier:InitiateVaultLock
outposts:CreateOutpost
rds:PurchaseReservedDBInstancesOffering
redshift:PurchaseReservedNodeOffering
route53domains:RegisterDomain
route53domains:RenewDomain
route53domains:TransferDomain
s3-object-lambda:PutObjectLegalHold
s3-object-lambda:PutObjectRetention
s3:BypassGovernanceRetention
s3:PutBucketObjectLockConfiguration
s3:PutObjectLegalHold
s3:PutObjectRetention
savingsplans:CreateSavingsPlan
shield:CreateSubscription
snowball:CreateCluster

I've got one sneaky b*****d to be added to the list:
Amazon Pinpoint-Deliverability dashboard
https://aws.amazon.com/pinpoint/pricing/

The Deliverability Dashboard is available for a fixed price of USD $1,250 per month. This charge includes reputation monitoring for up to five domains and 25 predictive email placement tests.

Note: If you cancel your subscription before the end of a billing period, we continue to charge you for the remaining days in the billing period. However, we don't charge you for the next billing period.

Thanks for sharing! Definitely want to block that, but I can't find the IAM action for it https://aws.permissions.cloud/iam/mobiletargeting

Will have a dig a bit deeper, but looks like it might be AWS web console only...