AWS S3 Billing Shock: How Empty Buckets Can Explode Your Costs and What You Need to?Know

Did ever experienced shock as in above dashboard? Good news for you.

Amazon S3 announced some good news in 2024 as years ends, I would lille to remind about it which adds lots of value for customers when it comes to cost, security and operational excellence. AWS stopped charging customers for certain types of S3 failed requests, specifically when unauthorized people try to access your storage. When it comes to AWS S3 billing S3 bucket costs, Unauthorized S3 requests remains challenge for “AWS cost optimization” and this content addresses and explains how to add one more “S3 security best practices” to your kitty. This is particularly important because there was a recent incident where someone discovered a pretty serious billing problem. Here is the blog: https://medium.com/@maciej.pocwierz/how-an-empty-s3-bucket-can-make-your-aws-bill-explode-934a383cb8b1

Summary of mentioned blog, if you want to save time or do not have access to it:

Someone created a private storage container (called an S3 bucket) and suddenly got hit with a $1,300 bill even though they weren’t really using it! This happened because some popular software tool was accidentally configured to try storing backups in their bucket. Even though these attempts were rejected because they weren’t authorized, AWS was still charging the bucket owner for all these failed attempts.

Think of it like this?—?imagine if people kept trying to deliver packages to your house by mistake, and you had to pay a fee for each failed delivery attempt, even though you never asked for those packages! That’s basically what was happening. The good news is that AWS is now changing this policy, and starting May 2024, they won’t charge bucket owners for these kinds of unauthorized access attempts anymore. This change will happen automatically, and you don’t need to do anything to get this benefit.

This is especially relevant because it addresses a real problem that was causing unexpected charges for AWS customers, and shows how AWS is responding to improve their service based on customer experiences.

1. Potential Measures to Protect Bucket?Owners

AWS has already implemented a significant measure to address this issue. As of May 13, 2024, Amazon S3 no longer charges for unauthorized requests that customers did not initiate. https://aws.amazon.com/about-aws/whats-new/2024/08/amazon-s3-no-charges-several-http-error-codes/

Specifically:

• Bucket owners will not incur request or bandwidth charges for requests that return an HTTP 403 (Access Denied) error response if initiated from outside their AWS account or AWS Organization.
• This change applies to all S3 buckets and requires no modifications to customer applications.

Additional measures AWS could consider implementing include:

• Improved monitoring and alerting systems to detect unusual patterns of unauthorized requests.
• Enhanced logging capabilities to provide more detailed information about the source of unauthorized requests.
• Implementation of intelligent rate limiting specifically for unauthorized requests.

2. The Problematic Open-Source Tool

The actual name of the open-source tool is not disclosed in the blog post or search results for security reasons. The author states that revealing the name could put impacted companies at risk of data leaks. Without this information, it’s impossible to determine how many existing deployments might still be affected by the default configuration issue.

3. Rate Limiting for Unauthorized Requests

While there isn’t a specific feature mentioned for rate limiting unauthorized requests to S3 buckets, AWS does offer some throttling capabilities:

• You can use Amazon CloudFront as a content delivery network (CDN) in front of your S3 bucket to implement throttling.
• API Gateway allows for throttling requests to your APIs, which could be used in conjunction with S3 access.

However, these solutions may not directly address the issue of unauthorized requests to S3 buckets.

4. Prevalence and Proactive Identification

To proactively identify if their buckets are being targeted, AWS customers can:

• Enable AWS CloudTrail or S3 Server Access Logging to monitor requests to their S3 buckets.
• Regularly review their AWS billing and usage reports for unexpected spikes in S3 requests or data transfer.
• Implement best practices for S3 bucket naming, such as adding random suffixes to reduce vulnerability to misconfigured systems or intentional attacks.

In conclusion, while AWS has taken steps to address the issue of charging for unauthorized requests, customers should remain vigilant and implement best practices to protect their S3 buckets and monitor for unusual activity.