Skip to content

Instantly share code, notes, and snippets.

@iann0036
Last active September 24, 2024 01:40
Show Gist options
  • Save iann0036/b473bbb3097c5f4c656ed3d07b4d2222 to your computer and use it in GitHub Desktop.
Save iann0036/b473bbb3097c5f4c656ed3d07b4d2222 to your computer and use it in GitHub Desktop.
List of expensive / long-term effect AWS IAM actions
route53domains:RegisterDomain
route53domains:RenewDomain
route53domains:TransferDomain
ec2:ModifyReservedInstances
ec2:PurchaseHostReservation
ec2:PurchaseReservedInstancesOffering
ec2:PurchaseScheduledInstances
rds:PurchaseReservedDBInstancesOffering
dynamodb:PurchaseReservedCapacityOfferings
s3:PutObjectRetention
s3:PutObjectLegalHold
s3:BypassGovernanceRetention
s3:PutBucketObjectLockConfiguration
elasticache:PurchaseReservedCacheNodesOffering
redshift:PurchaseReservedNodeOffering
savingsplans:CreateSavingsPlan
aws-marketplace:AcceptAgreementApprovalRequest
aws-marketplace:Subscribe
shield:CreateSubscription
acm-pca:CreateCertificateAuthority
es:PurchaseReservedElasticsearchInstanceOffering
outposts:CreateOutpost
snowball:CreateCluster
s3-object-lambda:PutObjectLegalHold
s3-object-lambda:PutObjectRetention
glacier:InitiateVaultLock
glacier:CompleteVaultLock
es:PurchaseReservedInstanceOffering
backup:PutBackupVaultLockConfiguration
bedrock:CreateProvisionedModelThroughput
bedrock:UpdateProvisionedModelThroughput
ses:PutDeliverabilityDashboardOption
@iann0036
Copy link
Author

These are IAM permissions that gate calls that could be potentially expensive or result in a long-term commitment.

@danquack
Copy link

acm-pca:CreateCertificateAuthority at $400/month https://aws.amazon.com/certificate-manager/pricing/

@iann0036
Copy link
Author

Nice @danquack, added.

@z0ph
Copy link

z0ph commented Apr 28, 2021

Maybe cloudfront:CreateDistribution

You pay $600 per month for each custom SSL certificate associated with one or more CloudFront distributions using the Dedicated IP version of custom SSL certificate support.

@z0ph
Copy link

z0ph commented Apr 28, 2021

@thebostik
Copy link

Thanks for sharing. For commitments, we additionally have es:PurchaseReservedElasticsearchInstanceOffering (Amazon Elasticsearch Service) on our list.

@iann0036
Copy link
Author

@thebostik: Thanks, added!

@z0ph: That might be good if this moves to a more defined list with certain rules (i.e. no call over $500 or something). At that point we can convert it to an actual policy with conditionals etc.

@lorengordon
Copy link

How about outposts:Create* and snowball:Create*?

@iann0036
Copy link
Author

Thanks @lorengordon, added.

@tdmalone
Copy link

tdmalone commented Jun 4, 2021

Nice list - makes a good basis for an SCP in AWS Organizations covering, for example, otherwise unrestricted dev accounts.

@noamsdahan
Copy link

noamsdahan commented Jun 6, 2021

kendra:CreateIndex costs 7$ an hour and seems like a good addition to this list. (adds up to about 5K/month)
There is a free trial developer edition, but the "edition" parameter is optional in the API call and the default value is ENTERPRISE_EDITION. 🤦

@shotty1
Copy link

shotty1 commented Aug 18, 2021

"s3-object-lambda:PutObjectLegalHold"
"s3-object-lambda:PutObjectRetention"
I saw those in the IAM changelogs. Sounds dangerous ;-)

@iann0036
Copy link
Author

Thanks @shotty1 ! Added.

@tdmalone
Copy link

glacier:*VaultLock

@iann0036
Copy link
Author

Thanks @tdmalone, added!

@ckabalan
Copy link

ckabalan commented Oct 8, 2021

@tdmalone FYI you can't use that with an SCP, you can only have wildcards at the END of a SCP. I tried similar with *ReservedInstance* and it does not work.

Note
In an SCP, the wildcard characters (*) and (?) in an Action or NotAction element can be used only by itself
or at the end of the string. It can't appear at the beginning or middle of the string. Therefore,
"servicename:action*" is valid, but "servicename:*action" and "servicename:some*action" are both invalid in SCPs.

Source: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html#scp-syntax-action

@shotty1
Copy link

shotty1 commented Oct 9, 2021

backup:PutBackupVaultLockConfiguration

@iann0036
Copy link
Author

iann0036 commented Oct 9, 2021

Thanks @shotty1 , added.

@sam-cox-tracebit
Copy link

bedrock:CreateProvisionedModelThroughput
bedrock:UpdateProvisionedModelThroughput

https://aws.amazon.com/bedrock/pricing/

Provisioned Throughput pricing
An application developer, buys one model unit of Anthropic Claude Instant with 1-month commitment for their text summarization use case.
Total monthly cost incurred is 1 model unit * $39.60 * 24 hours * 31 days = $29,462.40

@iann0036
Copy link
Author

Thanks @sam-cox-tracebit, added.

@vstanimirovic
Copy link

vstanimirovic commented Sep 21, 2024

I've got one sneaky b*****d to be added to the list:
Amazon Pinpoint-Deliverability dashboard
https://aws.amazon.com/pinpoint/pricing/

The Deliverability Dashboard is available for a fixed price of USD $1,250 per month. This charge includes reputation monitoring for up to five domains and 25 predictive email placement tests.

Note: If you cancel your subscription before the end of a billing period, we continue to charge you for the remaining days in the billing period. However, we don't charge you for the next billing period.

@iann0036
Copy link
Author

Thanks, added ses:PutDeliverabilityDashboardOption.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment