AWS S3 and the invoice of more than $1000 dollars on the second day after being created

Post from an AWS S3 user, who on the second day had an invoice for $1000 dollars and it was empty.
Apparently the problem lies mainly in the bucket calls, which create a cost, but the problem was that this user created a bucket with a name like “bucket-crap”, said name was the one that came by default in an application, apparently widely used by companies.
However, all this revealed that this service could have a serious problem, since it could cause what they now call “DoW” “Denial of Wallet”, since any malicious user, knowing the name of said bucket could create thousands of calls to said bucket. bucket and create an exacerbated cost, because even if you do not have access to said bucket, calls to it, even if they are denied, generate a cost.

Detailed information in:

It appears AWS is looking into it:

I don’t think we’ve had a report of this happening with Discourse sites using S3 for uploads.

Indeed, I don’t think that’s the case, however it doesn’t hurt to take some precautions.

I guess that’s another reason that using a CDN is recommended, as it makes it harder, at least, to see the bucket name.

Indeed, I saw this as well and much cursing ensued.

Discourse is not designed to obscure the underlying uploads bucket name and in the intervening days have been hoping nobody used one of ours.

The worst thing is that even if you observe the attack, there is nothing you can do to stop it.

via Jeff Barr on Twitter: https://x.com/jeffbarr/status/1787844682216792163

Update: S3 engineers are working to make unauthorized requests that customers did not initiate free of charge.

This change will cover a range of HTTP 3xx/4xx status codes, including all of those cited in the article. We’re moving quickly and we plan to share more details this week.