A truly alarming tale where bad luck in choosing a bucket name resulted in a usage bill of over $1,300. All of it coming from unauthorized requests!
So, if I were to open my terminal now and type:
aws s3 cp ./file.txt s3://your-bucket-name/random_key
I would receive an AccessDenied error, but you would be the one to pay for that request. And I don’t even need an AWS account to do so.
Another question was bugging me: why was over half of my bill coming from the us-east-1 region? I didn’t have a single bucket there! The answer to that is that the S3 requests without a specified region default to us-east-1 and are redirected as needed. And the bucket’s owner pays extra for that redirected request.
— Maciej Pocwierz, How an empty S3 bucket can make your AWS bill explode
The cause turns out to be that the bucket name happened to overlap with an open source application’s default configuration. So every company or individual deploying that app without updating the settings would end up trying to send write updates to his bucket!
At that point, I had one more idea I wanted to explore. If all those misconfigured systems were attempting to back up their data into my S3 bucket, why not just let them do so? I opened my bucket for public writes and collected over 10GB of data within less than 30 seconds. Of course, I can’t disclose whose data it was. But it left me amazed at how an innocent configuration oversight could lead to a dangerous data leak!
Per Amazon’s Jeff Barr, AWS is working on a way to prevent these types of overages from unauthorized write requests:
Thank you to everyone who brought this article to our attention. We agree that customers should not have to pay for unauthorized requests that they did not initiate. We’ll have more to share on exactly how we’ll help prevent these charges shortly.
But in the meantime, anyone can DDoS your bill if they know the name of your S3 bucket!
Keep it secret. Keep it safe.