Deny Destructive Privileges Group
I had mentioned in What To Do In Response To Code Spaces the importance of locking down your service-based IAM users to least privilege access. For example, if a service pushes a backup to S3, its IAM privileges should be scoped to write-only for the specified bucket. If a service is responsible for deleting expired snapshots, it's privileges should be scoped to only listing and deleting snapshots.

But if your environment is even moderately complex, there is a good chance this auditing will take some time. To minimize exposure in the interim, I decided to create a quick and dirty DenyDestructivePrivileges IAM group to which I assigned all service-based IAM users. This ensured that independent of the assigned privileges, these IAM users will never be able to perform destructive operations (e.g. terminate instances, delete S3 objects, etc...). While not a long term solution, it at least allowed me to sleep at night while awaiting the completion of the story for auditing our service accounts.

Below is a sample policy you can use to customize for your environment:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ec2:Delete*",
        "ec2:TerminateInstances",
        "s3:Delete*",
        "route53:Delete*",
        "glacier:Delete*",
        "rds:Delete*",
        "cloudtrail:Delete*",
        "iam:Delete*",    
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}