Empty S3 bucket makes your AWS bill explode
The article discusses a significant issue where an empty, private AWS S3 bucket can lead to unexpectedly high AWS bills due to unauthorized incoming requests.
This case study serves as a cautionary tale about the potential financial risks associated with AWS services, particularly S3, and underscores the importance of understanding AWS billing practices and configuring AWS services securely to avoid unexpected charges.
📌Unexpected High Costs: The author experienced a sudden spike in his AWS bill, amounting to over $1,300, due to nearly 100,000,000 S3 PUT requests executed within a single day on an empty S3 bucket he had set up for testing.
📌Source of Requests: Initially, AWS does not log requests executed against S3 buckets by default. The author had to enable AWS CloudTrail logs to identify the source of the requests. It was found that misconfigured systems were attempting to store data in his private S3 bucket.
📌Billing for Unauthorized Requests: AWS charges for unauthorized incoming requests to S3 buckets. This was confirmed during the author’s communication with AWS support, highlighting a critical billing policy where the bucket owner pays for incoming requests regardless of their authorization status.
📌Prevention and Protection: The article notes that there is no straightforward way to prevent such incidents other than deleting the bucket. AWS does not allow the bucket to be protected by services like CloudFront or WAF when it is accessed directly through the S3 API.
📌AWS Investigation: Following the incident, AWS began investigating the issue, as indicated by a tweet from Jeff Barr, a prominent AWS evangelist. This suggests that AWS is aware of the potential for such problems and may be considering ways to address them.
AWS response:
📌No Charge for HTTP 4xx and 5xx Error Codes: Amazon S3 will no longer charge for HTTP 4xx and 5xx error responses. This change is aimed at reducing costs for customers who encounter these errors.
📌Effective Date: The new policy is effective immediately from the announcement date, which is May 16, 2024.
📌Customer Impact: This change is expected to benefit customers by eliminating charges associated with common client and server errors, potentially leading to cost savings.
📌Error Codes Covered: The specific HTTP error codes that will no longer incur charges include:
📌📌4xx Client Errors (e.g., 404 Not Found, 403 Forbidden)
📌📌5xx Server Errors (e.g., 500 Internal Server Error, 503 Service Unavailable)
📌Rationale: The decision to eliminate these charges is part of AWS’s ongoing efforts to provide cost-effective and customer-friendly services.
The purpose of Amazon S3 no longer charging for several HTTP error codes is to address a billing issue that could potentially lead to unexpectedly high costs for customers. Specifically:
📌Previously, S3 bucket owners were charged for requests that returned HTTP 4xx (client error) responses, even if those requests were unauthorized and not initiated by the bucket owner.
📌This meant that if an attacker or bot made a large number of unauthorized requests to an S3 bucket, the bucket owner would be billed for those 4xx error responses, potentially leading to a massive, unexpected bill.
📌After public outcry over this billing model, which was seen as unfair to customers, Amazon announced a change on May 13, 2024.
📌With this change, bucket owners will no longer incur request or bandwidth charges for requests that return an HTTP 403 (Access Denied) error if those requests were initiated from outside their AWS account or AWS Organization.
📌The specific HTTP error codes that will no longer be charged include 4xx Client Errors (e.g. 404 Not Found, 403 Forbidden) and some 3xx Redirection codes when the requests are unauthorized.
Vkontakte
Twitter
Одноклассники
