View Only

PSA on Amazon S3 Bucket Storage Security (being fixed by AWS now)

  • 1.  PSA on Amazon S3 Bucket Storage Security (being fixed by AWS now)

    Posted 05-10-2024 12:34 PM
    Edited by Hudson Harper 05-11-2024 08:56 PM

    There was an interesting article on how an AWS S3 user was charged $1300 for an empty storage bucket. The short version is that unauthorized requests to an S3 bucket (even private ones!) charge the owner of the bucket ($0.005/1000 requests). What this highlights is that up until AWS fixes this, which they're working on, a bad actor who knows or can guess the name of your S3 bucket can run up your bill by writing a bash script that spams your bucket.

    If you use AWS for storage, you probably won't be able to transfer/rename things before the issue is fixed. However, I found this story to be a good reminder to use strong naming conventions (some suggested in the article) for your cloud assets that can be accessed via URL (again, even private ones!) and NEVER share IDs publicly. Also, in any cloud environment, make sure you set up billing alerts and budgets with enforcement policies. All the major players AWS, Azure, and GCP have some sort of mechanism for notifying and/or shutting things down if costs reach a certain level.


    Hudson Harper
    The Downtown School
    Seattle WA