A Costly Mistake: How an Empty S3 Bucket Led to a Massive AWS Bill

AWS Buyer Faces Big Bill Attributable to Open-Offer Tool Misconfiguration.

In a startling incident, an AWS customer faced a staggering $1,300 invoice for S3 utilization, despite increasing a single, empty bucket for attempting out functions.

The perpetrator? A in kind birth-provide machine with a default configuration that kept backups in the client’s S3 bucket, ensuing in a deluge of unauthorized requests.

The client, who remained anonymous, shared their expertise in a detailed blog submit, shedding light on the unexpected costs and capability security dangers associated with misconfigured instruments and S3 bucket naming conventions.

The Surprising Bill

After increasing a personal S3 bucket in the european-west-1 space for a proof-of-belief document indexing system, the client used to be apprehensive to sight practically 100,000,000 S3 PUT requests executed within a single day, ensuing in a invoice exceeding $1,300.

The Root Trigger: Misconfigured Open-Offer Tool

Upon investigation, the client stumbled on that a favored birth-provide machine had a default configuration that damaged-down the identical bucket name as their personal S3 bucket for storing backups.

In consequence, every deployment of this machine with the default configuration tried to store its backups in the client’s bucket, ensuing in a enormous influx of unauthorized requests.

In a response from AWS give a boost to, the client learned that S3 costs for unauthorized requests (4xx errors) as successfully, even supposing the requests are denied.

This meant that the client used to be guilty for paying for the hundreds of hundreds of unauthorized requests made to their bucket.

In a touching on experiment, the client briefly made their bucket public for writes, amassing over 10GB of recordsdata within 30 seconds.

“If truth be told one of the most in kind birth-provide instruments had a default configuration to store their backups in S3. And, as a placeholder for a bucket name, they damaged-down… the identical name that I damaged-down for my bucket. This meant that every deployment of this machine with default configuration values tried to store its backups in my S3 bucket!” person informed by blog submit.

This highlighted the different of recordsdata leaks and security breaches on account of misconfigured systems making an attempt to write records to unintended S3 buckets.

Lessons Realized

The incident underscored several essential lessons:

1. Bucket Naming Conventions: Adding random suffixes to S3 bucket names can enhance security by reducing vulnerability to misconfigured systems or intentional assaults.
2. Specifying AWS Areas: When executing various requests to S3, explicitly specifying the AWS space can defend away from further costs from S3 API redirects.
3. Unauthorized Quiz Charges: AWS costs for unauthorized requests, even supposing denied, which is ready to result in unexpected costs if not wisely monitored.

Suggestions

The client reported the order to the maintainers of the vulnerable birth-provide machine, who promptly mounted the default configuration. Nonetheless, existing deployments may perchance perchance well peaceful be affected.

AWS used to be notified, however they were unwilling to address misconfigurations of third-celebration products. The client also tried to grunt companies whose records used to be in their bucket, however got no response.

Finally, AWS cancelled the client’s S3 invoice as an exception however emphasized that such exceptions are not guaranteed.

This incident is a cautionary myth for AWS prospects to rigorously video display their S3 utilization, put into effect proper bucket naming conventions, and be responsive to the likely costs and security dangers associated with misconfigured instruments and unauthorized requests.