Lesson 1: Anyone who knows the name of any of your S3 buckets can ramp up your AWS bill as they like.
Other than deleting the bucket, thereβs nothing you can do to prevent it. Standard S3 PUT requests are priced at just $0.005 per 1,000 requests, but a single machine can easily execute thousands of such requests per second.
Iβm absolutely flabbergasted that this is okay. How is this okay???
How an empty S3 bucket can make your AWS bill explode
Imagine you create an empty, private AWS S3 bucket in a region of your preference. What will your AWS bill be the next morning?
Did you like this post, repost it, or respond to it? Let me know by sending a webmention!
π¬ Replies (4)
@davidcelis oof that sucks, glad they canceled his bill. technically u could put the s3 in a vpc, or put it behind api gateway and set up endpoint protection with auth types specified by AWS, which will prevent u from being charged for api calls from ddos attacks/unauthorized access. but ya annoying this is so not transparent and convoluted π
@zero_tea huh, the author seems to think that there's no kind of protection to prevent this:
> You canβt protect your bucket with services like CloudFront or WAF when itβs being accessed directly through the S3 API
you'd have to completely disable S3 API access for the bucket; is that actually possible? i figured the only available protections would just cause S3 API access to do something like return a 401, which you'd still get charged for?
@zero_tea also i'm glad they cancelled his bill but the fact that they explicitly said it was an exception rather than revisiting that ridiculous billing practice... they know exactly what they're doing π¬
@davidcelis hahaha haha ha haha ha