Hey there ๐ ! This project looks great. I really appreciate you building a tool for this problem space as some of the current tools available are a bit outdated.
I noticed that you have a comment here
Note: some AWS functions can incur costs when called, I have deny-listed all operations starting with open or purchase to mitigate accidental costs, which appears to be safe in my own testing, but please use this with caution. I don't guarantee you won't accidentally incur costs when calling all these functions (even if it's without arguments)
I'd like to suggest changing the way you block actions from being called. A while back, when I was fuzzing the AWS API, I made the mistake of calling shield:CreateSubscription. This subscribed my AWS account for Shield Advanced which is $3,000 per month (thankfully some kind folks inside AWS were able to resolve this without me paying).
Rather than just denying actions which start with open
or purchase
, it might be a good idea to allowlist actions that start with Get
, List
, or Describe
(sort of similar to how enumerate-iam does it). This would reduce the number of actions you can check for, but would mitigate a lot of the risk in the event that AWS creates a new service/action that costs money by default (and doesn't fall into the open
or purchase
category).
Just a suggestion! Thank you again for working on this problem.