Restrict IAM User Access after AWS Budget Limit is reached

💰 Automatically Restrict IAM User Access After AWS Budget Limit is Reached

At 2:37 AM, the AWS bill silently crossed its limit, no alarms, no humans watching.
Seconds later, an unseen Lambda woke up, and just like that, the IAM user’s access vanished mid-click.
The cloud didn’t crash, it locked the door 🔒

🎯Goal

• Set a spend limit (budget) in AWS.
• Send an alert using Amazon SNS when the limit is reached.
• Trigger an AWS Lambda function that will restrict an IAM user.
• The IAM user will lose AWS access automatically when the budget is exceeded.

✅ Prerequisites

• Basic AWS Account
• IAM user to test
• IAM permissions to create budgets, Lambda functions, and SNS topics

🔧 Step 1: Create an AWS Budget

• Go to the AWS Console, choose Billing, then Budgets.
• Click Create Budget name: Cost Budget.
• Spend limit (let $10 per month).
• Add an alert threshold at 100% of the budget.
• Create a new SNS Topic when prompted (we'll configure later).

🛠️ Example:

• Budget: $10/month
• Alert at: 100%

🔔 Step 2: Create an SNS Topic

• Go to Amazon SNS choose Topics then Create Topic.
• Choose Standard Topic.
• Set the name (let: BudgetExceedTopic).
• Click Create Topic.
• Subscribe Lambda to SNS
• We will will link this SNS topic to a Lambda function in the next step.

🖥️ Step 3: Create a Lambda Function

• Go to Lambda → Create Function → Author from scratch.
• Function name: RestrictIAMUserFunction
• Runtime: Python 3.12 (or latest)

Paste This Code:

import boto3
import json

iam = boto3.client('iam')

def lambda_handler(event, context):
    user_name = 'adeel'  # Change this to your IAM username

    deny_policy = {
        "Version": "2012-10-17",
        "Statement": [{
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*"
        }]
    }

    iam.put_user_policy(
        UserName=user_name,
        PolicyName='DenyAllPolicy',
        PolicyDocument=json.dumps(deny_policy)
    )

    return {"status": f"Permissions restricted for user {user_name}"}

🔒 Step 4: Add IAM Permissions to Lambda

• The Lambda needs permissions to:
• Write logs
• Attach IAM policies Inline Policy to Add:

• 👉 Replace YOUR_ACCOUNT_ID With your AWS Account ID.
• If you want to restrict all users, use:
• "Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:user/*"

🔗 Step 5: Connect SNS to Lambda

• Go to your SNS Topic, choose Subscriptions, then Create Subscription.
• Choose Protocol: AWS Lambda.
• Choose the Lambda function we just created.
• Confirm subscription.

✔️ Now, when the budget threshold is exceeded, SNS will automatically trigger the Lambda function.

✅ Step 6: Review and Test

• Budget Alerts should now trigger your SNS topic when the budget is crossed.
• SNS will trigger the Lambda function.
• Lambda will restrict the IAM user by attaching a deny-all policy.

✔️ You can verify this by checking the user in IAM ( Inline Policies )

🔥 Key Tips

• AWS Budgets update a few times a day, so the restriction is not instant, but timely.
• Always test on a non-production user first.
• You can enhance this by making the Lambda dynamically read the username from the SNS message.

✨ Happy Cloud Learning!

If you found this blog helpful, Subscribe here:
CloudTipsByAD