By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Billing unauthorized access to S3

0

AWS allows you to keep your buckets private so that nobody can access it. Since you pay for every access to the bucket, this option is crucial in protecting your money to be wasted by an attacker. Reportedly AWS charges the clients also for UNAUTHORIZED access to their buckets. I.e. when someone knows the name of your private bucket and tries to do PUT requests to it, Amazon will bill you for that. Since signed URLs contain the plain text names of your private buckets, that features opens a huge security hole enabling any attacker to inflate your S3 bill.

Therefore I want to ask - is this really true? Is there a clear Amazon statement somewhere in the conditions of their services, in the documentation or elsewhere that clearly state that they DO NOT charge the clients for unauthorized access? This by far does not only hit S3. It may be an issue with any other service. Unauthorized access means that you are defending against that access and therefore you cannot be billed for it. Otherwise such policy would constitute a security hole.

It is clearly not enough to say, that Amazon does not say anything about it. For anyone using Amazon services safely it would be necessary to know that Amazon explicitly states, that they do not charge for unauthorized access. Do they? Where?

Topics
Cloud Financial ManagementAWS Well-Architected Framework
Tags
AWS BillingSecurity
Language
English
TomFG
asked 25 days ago364 views
4 Answers
1
Accepted Answer

This issue is now addressed - see https://aws.amazon.com/about-aws/whats-new/2024/05/amazon-s3-no-charge-http-error-codes/

Amazon S3 will make a change so unauthorized requests that customers did not initiate are free of charge. With this change, bucket owners will never incur request or bandwidth charges for requests that return an HTTP 403 (Access Denied) error response if initiated from outside their individual AWS account or AWS Organization.

profile picture
EXPERT
Steve_M
answered 9 days ago
profile picture
EXPERT
Oleksii Bebych
reviewed 9 days ago
0

https://docs.aws.amazon.com/AmazonS3/latest/userguide/aws-usage-report-understand.html

In general, S3 bucket owners are billed for all the requests with HTTP 200 OK successful responses, HTTP 3XX redirection responses, and HTTP 4XX client error responses, such as HTTP 403 Forbidden errors. You aren't billed for HTTP 5XX server error responses, such as HTTP 503 Slow Down errors.

profile picture
EXPERT
Oleksii Bebych
answered 24 days ago
profile picture
EXPERT
Kallu
reviewed 24 days ago
0

Hello.

Currently, the system is such that fees are charged even for unauthorized access.
However, as shown in the answer below, AWS has announced that it will be responding soon, so I think it would be best to wait for that response.
https://repost.aws/questions/QUi8gnXsmyQB6DX3isQYqgtA/is-there-any-charge-for-403-requests-over-s3-bucket#AN3gNdcqbqTHGgqbY6OFpNig
https://repost.aws/questions/QUi8gnXsmyQB6DX3isQYqgtA/is-there-any-charge-for-403-requests-over-s3-bucket#AN490V4aUCR1m0qMBZR6lb2g

profile picture
EXPERT
Riku_Kobayashi
answered 24 days ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 24 days ago
0

Hi,

This issues is well known for a few days: https://www.thestack.technology/an-attacker-could-run-you-up-a-huge-aws-bill-just-by-sending-rejected-requests-to-an-s3-bucket-and-theres-nothing-you-can-do-about-it/

Jeff Barr, our chef evangelist has promised that AWS will address the problem: https://twitter.com/jeffbarr/status/1785386554372042890

So, with a bit a patience, this one should be addressed.

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 24 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content