diff --git a/.github/workflows/pr-ci.yaml b/.github/workflows/pr-ci.yaml
index 751d3943..c0178f32 100644
--- a/.github/workflows/pr-ci.yaml
+++ b/.github/workflows/pr-ci.yaml
@@ -4,6 +4,9 @@ name: CloudFormation CLI Pull Request CI
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     env:
diff --git a/.github/workflows/pypi-release.yaml b/.github/workflows/pypi-release.yaml
index 45942c2d..20b83e7c 100644
--- a/.github/workflows/pypi-release.yaml
+++ b/.github/workflows/pypi-release.yaml
@@ -5,6 +5,9 @@ on:
   release:
     types: [ published ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/schema-updater.yaml b/.github/workflows/schema-updater.yaml
index d998609e..743f5ea3 100644
--- a/.github/workflows/schema-updater.yaml
+++ b/.github/workflows/schema-updater.yaml
@@ -2,6 +2,10 @@ on:
   schedule:
     - cron: '0 0 * * *'
   workflow_dispatch: # Enables on-demand/manual triggering: https://docs.github.com/en/free-pro-team@latest/actions/managing-workflow-runs/manually-running-a-workflow
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   schema-updater:
     runs-on: ubuntu-latest