Forked from iann0036/gist:b473bbb3097c5f4c656ed3d07b4d2222
Last active
October 4, 2023 12:37
-
-
Save rowanu/fc111263aa4a8f98c22a6e9080de0a65 to your computer and use it in GitHub Desktop.
SCP to deny potentially expensive and/or long-running AWS IAM actions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "PotentiallyExpensiveActions", | |
| "Effect": "Deny", | |
| "Action": [ | |
| "acm-pca:CreateCertificateAuthority", | |
| "aws-marketplace:AcceptAgreementApprovalRequest", | |
| "aws-marketplace:Subscribe", | |
| "backup:PutBackupVaultLockConfiguration", | |
| "bedrock:CreateProvisionedModelThroughput", | |
| "bedrock:InvokeAgent", | |
| "bedrock:InvokeModel", | |
| "bedrock:InvokeModelWithResponseStream", | |
| "dynamodb:PurchaseReservedCapacityOfferings", | |
| "ec2:ModifyReservedInstances", | |
| "ec2:PurchaseHostReservation", | |
| "ec2:PurchaseReservedInstancesOffering", | |
| "ec2:PurchaseScheduledInstances", | |
| "elasticache:PurchaseReservedCacheNodesOffering", | |
| "es:PurchaseReservedElasticsearchInstanceOffering", | |
| "es:PurchaseReservedInstanceOffering", | |
| "glacier:CompleteVaultLock", | |
| "glacier:InitiateVaultLock", | |
| "outposts:CreateOutpost", | |
| "rds:PurchaseReservedDBInstancesOffering", | |
| "redshift:PurchaseReservedNodeOffering", | |
| "route53domains:RegisterDomain", | |
| "route53domains:RenewDomain", | |
| "route53domains:TransferDomain", | |
| "s3-object-lambda:PutObjectLegalHold", | |
| "s3-object-lambda:PutObjectRetention", | |
| "s3:BypassGovernanceRetention", | |
| "s3:PutBucketObjectLockConfiguration", | |
| "s3:PutObjectLegalHold", | |
| "s3:PutObjectRetention", | |
| "savingsplans:CreateSavingsPlan", | |
| "shield:CreateSubscription", | |
| "snowball:CreateCluster" | |
| ], | |
| "Resource": "*" | |
| } | |
| ] | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| acm-pca:CreateCertificateAuthority | |
| aws-marketplace:AcceptAgreementApprovalRequest | |
| aws-marketplace:Subscribe | |
| backup:PutBackupVaultLockConfiguration | |
| bedrock:CreateProvisionedModelThroughput | |
| bedrock:InvokeAgent | |
| bedrock:InvokeModel | |
| bedrock:InvokeModelWithResponseStream | |
| dynamodb:PurchaseReservedCapacityOfferings | |
| ec2:ModifyReservedInstances | |
| ec2:PurchaseHostReservation | |
| ec2:PurchaseReservedInstancesOffering | |
| ec2:PurchaseScheduledInstances | |
| elasticache:PurchaseReservedCacheNodesOffering | |
| es:PurchaseReservedElasticsearchInstanceOffering | |
| es:PurchaseReservedInstanceOffering | |
| glacier:CompleteVaultLock | |
| glacier:InitiateVaultLock | |
| outposts:CreateOutpost | |
| rds:PurchaseReservedDBInstancesOffering | |
| redshift:PurchaseReservedNodeOffering | |
| route53domains:RegisterDomain | |
| route53domains:RenewDomain | |
| route53domains:TransferDomain | |
| s3-object-lambda:PutObjectLegalHold | |
| s3-object-lambda:PutObjectRetention | |
| s3:BypassGovernanceRetention | |
| s3:PutBucketObjectLockConfiguration | |
| s3:PutObjectLegalHold | |
| s3:PutObjectRetention | |
| savingsplans:CreateSavingsPlan | |
| shield:CreateSubscription | |
| snowball:CreateCluster |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment