-
-
Save iann0036/b473bbb3097c5f4c656ed3d07b4d2222 to your computer and use it in GitHub Desktop.
route53domains:RegisterDomain | |
route53domains:RenewDomain | |
route53domains:TransferDomain | |
ec2:ModifyReservedInstances | |
ec2:PurchaseHostReservation | |
ec2:PurchaseReservedInstancesOffering | |
ec2:PurchaseScheduledInstances | |
rds:PurchaseReservedDBInstancesOffering | |
dynamodb:PurchaseReservedCapacityOfferings | |
s3:PutObjectRetention | |
s3:PutObjectLegalHold | |
s3:BypassGovernanceRetention | |
s3:PutBucketObjectLockConfiguration | |
elasticache:PurchaseReservedCacheNodesOffering | |
redshift:PurchaseReservedNodeOffering | |
savingsplans:CreateSavingsPlan | |
aws-marketplace:AcceptAgreementApprovalRequest | |
aws-marketplace:Subscribe | |
shield:CreateSubscription | |
acm-pca:CreateCertificateAuthority | |
es:PurchaseReservedElasticsearchInstanceOffering | |
outposts:CreateOutpost | |
snowball:CreateCluster | |
s3-object-lambda:PutObjectLegalHold | |
s3-object-lambda:PutObjectRetention | |
glacier:InitiateVaultLock | |
glacier:CompleteVaultLock | |
es:PurchaseReservedInstanceOffering | |
backup:PutBackupVaultLockConfiguration | |
bedrock:CreateProvisionedModelThroughput | |
bedrock:UpdateProvisionedModelThroughput | |
ses:PutDeliverabilityDashboardOption |
acm-pca:CreateCertificateAuthority at $400/month https://aws.amazon.com/certificate-manager/pricing/
Nice @danquack, added.
Maybe cloudfront:CreateDistribution
You pay $600 per month for each custom SSL certificate associated with one or more CloudFront distributions using the Dedicated IP version of custom SSL certificate support.
Could be useful thread: https://twitter.com/quinnypig/status/1243316557993795586?lang=en
Thanks for sharing. For commitments, we additionally have es:PurchaseReservedElasticsearchInstanceOffering
(Amazon Elasticsearch Service) on our list.
@thebostik: Thanks, added!
@z0ph: That might be good if this moves to a more defined list with certain rules (i.e. no call over $500 or something). At that point we can convert it to an actual policy with conditionals etc.
How about outposts:Create*
and snowball:Create*
?
Thanks @lorengordon, added.
Nice list - makes a good basis for an SCP in AWS Organizations covering, for example, otherwise unrestricted dev accounts.
kendra:CreateIndex
costs 7$ an hour and seems like a good addition to this list. (adds up to about 5K/month)
There is a free trial developer edition, but the "edition" parameter is optional in the API call and the default value is ENTERPRISE_EDITION. 🤦
"s3-object-lambda:PutObjectLegalHold"
"s3-object-lambda:PutObjectRetention"
I saw those in the IAM changelogs. Sounds dangerous ;-)
Thanks @shotty1 ! Added.
glacier:*VaultLock
Thanks @tdmalone, added!
@tdmalone FYI you can't use that with an SCP, you can only have wildcards at the END of a SCP. I tried similar with *ReservedInstance*
and it does not work.
Note
In an SCP, the wildcard characters (*) and (?) in an Action or NotAction element can be used only by itself
or at the end of the string. It can't appear at the beginning or middle of the string. Therefore,
"servicename:action*" is valid, but "servicename:*action" and "servicename:some*action" are both invalid in SCPs.
backup:PutBackupVaultLockConfiguration
Thanks @shotty1 , added.
bedrock:CreateProvisionedModelThroughput
bedrock:UpdateProvisionedModelThroughput
https://aws.amazon.com/bedrock/pricing/
Provisioned Throughput pricing
An application developer, buys one model unit of Anthropic Claude Instant with 1-month commitment for their text summarization use case.
Total monthly cost incurred is 1 model unit * $39.60 * 24 hours * 31 days = $29,462.40
Thanks @sam-cox-tracebit, added.
I've got one sneaky b*****d to be added to the list:
Amazon Pinpoint-Deliverability dashboard
https://aws.amazon.com/pinpoint/pricing/
The Deliverability Dashboard is available for a fixed price of USD $1,250 per month. This charge includes reputation monitoring for up to five domains and 25 predictive email placement tests.
Note: If you cancel your subscription before the end of a billing period, we continue to charge you for the remaining days in the billing period. However, we don't charge you for the next billing period.
Thanks, added ses:PutDeliverabilityDashboardOption
.
These are IAM permissions that gate calls that could be potentially expensive or result in a long-term commitment.