diff --git a/.github/workflows/api-compat-verification.yml b/.github/workflows/api-compat-verification.yml
index 2d4a22452ad..5d7de9de0c4 100644
--- a/.github/workflows/api-compat-verification.yml
+++ b/.github/workflows/api-compat-verification.yml
@@ -7,6 +7,8 @@ on:
       - main
       - '*-main'
 
+permissions: { }
+
 jobs:
   api-compat-verification:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/closed-issue-message.yaml b/.github/workflows/closed-issue-message.yaml
index 3340afb1f3b..6304f05c5d6 100644
--- a/.github/workflows/closed-issue-message.yaml
+++ b/.github/workflows/closed-issue-message.yaml
@@ -2,6 +2,7 @@ name: Closed Issue Message
 on:
     issues:
        types: [closed]
+permissions: { }
 jobs:
     auto_comment:
         runs-on: ubuntu-latest
diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
index 6c8840e8467..db1530d04c8 100644
--- a/.github/workflows/continuous-integration.yml
+++ b/.github/workflows/continuous-integration.yml
@@ -4,6 +4,8 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions: { }
+
 # Allow one instance of this workflow per pull request, and cancel older runs when new changes are pushed
 concurrency:
   group: ci-pr-${{ github.ref }}
diff --git a/.github/workflows/issue-regression-labeler.yml b/.github/workflows/issue-regression-labeler.yml
index bd000719d10..b38327cf6e7 100644
--- a/.github/workflows/issue-regression-labeler.yml
+++ b/.github/workflows/issue-regression-labeler.yml
@@ -3,6 +3,7 @@ name: issue-regression-label
 on:
   issues:
     types: [opened, edited]
+permissions: { }
 jobs:
   add-regression-label:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 27addf43769..9cfcffb7a5a 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -12,6 +12,8 @@ on:
       - '*-main'
   workflow_dispatch:
 
+permissions: { }
+
 env:
   PACKAGE_NAME: aws-sdk-kotlin
 
diff --git a/.github/workflows/merge-main.yml b/.github/workflows/merge-main.yml
index db1df3a1429..d73d47a838a 100644
--- a/.github/workflows/merge-main.yml
+++ b/.github/workflows/merge-main.yml
@@ -4,6 +4,8 @@ on:
     branches: [ main ]
   workflow_dispatch:
 
+permissions: { }
+
 jobs:
   merge:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release-readiness.yml b/.github/workflows/release-readiness.yml
index 988d3fd103e..929dae539c4 100644
--- a/.github/workflows/release-readiness.yml
+++ b/.github/workflows/release-readiness.yml
@@ -8,6 +8,8 @@ on:
     types: [ opened, synchronize, reopened, labeled, unlabeled ]
     branches: [ main ]
 
+permissions: { }
+
 jobs:
   release-readiness:
     if: ${{ !contains(github.event.pull_request.labels.*.name, 'ready-for-release') }}
diff --git a/.github/workflows/stale_issue.yaml b/.github/workflows/stale_issue.yaml
index 7547e6285eb..820c15b7d85 100644
--- a/.github/workflows/stale_issue.yaml
+++ b/.github/workflows/stale_issue.yaml
@@ -5,6 +5,8 @@ on:
   schedule:
   - cron: "0 0/3 * * *"
 
+permissions: { }
+
 jobs:
   cleanup:
     name: Stale issue job
diff --git a/.github/workflows/sync-mirror.yml b/.github/workflows/sync-mirror.yml
index ffdb5731f9c..606a87e7039 100644
--- a/.github/workflows/sync-mirror.yml
+++ b/.github/workflows/sync-mirror.yml
@@ -5,6 +5,8 @@ on:
     branches: [ main ]
   workflow_dispatch:
 
+permissions: { }
+
 jobs:
   git-sync:
     # Only sync when pushing to source repo