A photo of me wearing a blue blazer and pocket square while on a horse, looking quite dapper.

David Celis

A cowboy coder.

Follow me

Lesson 1: Anyone who knows the name of any of your S3 buckets can ramp up your AWS bill as they like.

Other than deleting the bucket, there’s nothing you can do to prevent it. Standard S3 PUT requests are priced at just $0.005 per 1,000 requests, but a single machine can easily execute thousands of such requests per second.

I’m absolutely flabbergasted that this is okay. How is this okay???

How an empty S3 bucket can make your AWS bill explode

Imagine you create an empty, private AWS S3 bucket in a region of your preference. What will your AWS bill be the next morning?


/ 🦣 / πŸ¦‹ Woodlawn / Portland / OR 43Β°F and cloudy  (AQI 10 )

Did you like this post, repost it, or respond to it? Let me know by sending a webmention!


πŸ’¬ Replies (4)

@davidcelis oof that sucks, glad they canceled his bill. technically u could put the s3 in a vpc, or put it behind api gateway and set up endpoint protection with auth types specified by AWS, which will prevent u from being charged for api calls from ddos attacks/unauthorized access. but ya annoying this is so not transparent and convoluted πŸ˜’

@zero_tea huh, the author seems to think that there's no kind of protection to prevent this:

> You can’t protect your bucket with services like CloudFront or WAF when it’s being accessed directly through the S3 API

you'd have to completely disable S3 API access for the bucket; is that actually possible? i figured the only available protections would just cause S3 API access to do something like return a 401, which you'd still get charged for?

@zero_tea also i'm glad they cancelled his bill but the fact that they explicitly said it was an exception rather than revisiting that ridiculous billing practice... they know exactly what they're doing 😬