What if I told you giving someone “ReadOnlyAccess” to your AWS account could cost you big $$$?

One would think assigning a user The “ReadOnlyAccess” IAM Role would prevent them from being able to spend any money.

Well this is not the case. Primarily because of the cloudwatch:GenerateQuery permission thrown in there which allows you to run CloudWatch Insights queries against the logs. While this is a powerful tool it is not cheap at scale.

Using Live Trail can also incur charges and access to that is also granted access to the ReadOnlyAccess role via logs:StartLiveTail. But that can only rack up charges as fast as logs in realtime vs using CW Log Insights to query long time ranges.

Just keep in mind that before granting 3rd parties or even people in your org the “ReadOnlyAccess” IAM Role.

Question: What other seemingly safe IAM Permissions can be abused to rack up charges?