By Rob Pulsipher
Quotas are a relatively new feature of AWS, which I consider to be an essential security feature. Developers often have a very powerful IAM account and make continual use of the command line. This usage pattern leads to credentials being left laying around on hard disks. By restricting quota changes from user accounts, the organization adds a layer of protection against excessive costs due to accidents or malfeasance by users and from compromise by cyber criminals.
Quota change restriction is a simple measure to implement. Simply add the following to whichever IAM policy is attached to the group to deny all access to quota related functions. Deny actions override allow actions.
(This excludes all quota actions, including the read-only actions. It is possible to be more fine-grained, but I took the shotgun approach here for simplicity.)
{ "Sid": "VisualEditor1", "Effect": "Deny", "Action": "servicequotas:*", "Resource": "*" }