Forked from iann0036/gist:b473bbb3097c5f4c656ed3d07b4d2222
Last active
October 8, 2024 07:54
-
-
Save rowanu/fc111263aa4a8f98c22a6e9080de0a65 to your computer and use it in GitHub Desktop.
SCP to deny potentially expensive and/or long-running AWS IAM actions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "PotentiallyExpensiveActions", | |
| "Effect": "Deny", | |
| "Action": [ | |
| "acm-pca:CreateCertificateAuthority", | |
| "aws-marketplace:AcceptAgreementApprovalRequest", | |
| "aws-marketplace:Subscribe", | |
| "backup:PutBackupVaultLockConfiguration", | |
| "bedrock:CreateProvisionedModelThroughput", | |
| "bedrock:InvokeAgent", | |
| "bedrock:InvokeModel", | |
| "bedrock:InvokeModelWithResponseStream", | |
| "dynamodb:PurchaseReservedCapacityOfferings", | |
| "ec2:ModifyReservedInstances", | |
| "ec2:PurchaseHostReservation", | |
| "ec2:PurchaseReservedInstancesOffering", | |
| "ec2:PurchaseScheduledInstances", | |
| "elasticache:PurchaseReservedCacheNodesOffering", | |
| "es:PurchaseReservedElasticsearchInstanceOffering", | |
| "es:PurchaseReservedInstanceOffering", | |
| "glacier:CompleteVaultLock", | |
| "glacier:InitiateVaultLock", | |
| "outposts:CreateOutpost", | |
| "rds:PurchaseReservedDBInstancesOffering", | |
| "redshift:PurchaseReservedNodeOffering", | |
| "route53domains:RegisterDomain", | |
| "route53domains:RenewDomain", | |
| "route53domains:TransferDomain", | |
| "s3-object-lambda:PutObjectLegalHold", | |
| "s3-object-lambda:PutObjectRetention", | |
| "s3:BypassGovernanceRetention", | |
| "s3:PutBucketObjectLockConfiguration", | |
| "s3:PutObjectLegalHold", | |
| "s3:PutObjectRetention", | |
| "savingsplans:CreateSavingsPlan", | |
| "shield:CreateSubscription", | |
| "snowball:CreateCluster" | |
| ], | |
| "Resource": "*" | |
| } | |
| ] | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| acm-pca:CreateCertificateAuthority | |
| aws-marketplace:AcceptAgreementApprovalRequest | |
| aws-marketplace:Subscribe | |
| backup:PutBackupVaultLockConfiguration | |
| bedrock:CreateProvisionedModelThroughput | |
| bedrock:InvokeAgent | |
| bedrock:InvokeModel | |
| bedrock:InvokeModelWithResponseStream | |
| dynamodb:PurchaseReservedCapacityOfferings | |
| ec2:ModifyReservedInstances | |
| ec2:PurchaseHostReservation | |
| ec2:PurchaseReservedInstancesOffering | |
| ec2:PurchaseScheduledInstances | |
| elasticache:PurchaseReservedCacheNodesOffering | |
| es:PurchaseReservedElasticsearchInstanceOffering | |
| es:PurchaseReservedInstanceOffering | |
| glacier:CompleteVaultLock | |
| glacier:InitiateVaultLock | |
| outposts:CreateOutpost | |
| rds:PurchaseReservedDBInstancesOffering | |
| redshift:PurchaseReservedNodeOffering | |
| route53domains:RegisterDomain | |
| route53domains:RenewDomain | |
| route53domains:TransferDomain | |
| s3-object-lambda:PutObjectLegalHold | |
| s3-object-lambda:PutObjectRetention | |
| s3:BypassGovernanceRetention | |
| s3:PutBucketObjectLockConfiguration | |
| s3:PutObjectLegalHold | |
| s3:PutObjectRetention | |
| savingsplans:CreateSavingsPlan | |
| shield:CreateSubscription | |
| snowball:CreateCluster |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks for sharing! Definitely want to block that, but I can't find the IAM action for it https://aws.permissions.cloud/iam/mobiletargeting
Will have a dig a bit deeper, but looks like it might be AWS web console only...