Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Billing unauthorized access to S3

0

AWS allows you to keep your buckets private so that nobody can access it. Since you pay for every access to the bucket, this option is crucial in protecting your money to be wasted by an attacker. Reportedly AWS charges the clients also for UNAUTHORIZED access to their buckets. I.e. when someone knows the name of your private bucket and tries to do PUT requests to it, Amazon will bill you for that. Since signed URLs contain the plain text names of your private buckets, that features opens a huge security hole enabling any attacker to inflate your S3 bill.

Therefore I want to ask - is this really true? Is there a clear Amazon statement somewhere in the conditions of their services, in the documentation or elsewhere that clearly state that they DO NOT charge the clients for unauthorized access? This by far does not only hit S3. It may be an issue with any other service. Unauthorized access means that you are defending against that access and therefore you cannot be billed for it. Otherwise such policy would constitute a security hole.

It is clearly not enough to say, that Amazon does not say anything about it. For anyone using Amazon services safely it would be necessary to know that Amazon explicitly states, that they do not charge for unauthorized access. Do they? Where?

Temas
Gestión financiera en la nubeAWS Well-Architected Framework
Etiquetas
AWS BillingSeguridad
Idioma
English
TomFG
preguntada hace un mes391 visualizaciones
4 Respuestas
1
Respuesta aceptada

This issue is now addressed - see https://aws.amazon.com/about-aws/whats-new/2024/05/amazon-s3-no-charge-http-error-codes/

Amazon S3 will make a change so unauthorized requests that customers did not initiate are free of charge. With this change, bucket owners will never incur request or bandwidth charges for requests that return an HTTP 403 (Access Denied) error response if initiated from outside their individual AWS account or AWS Organization.

profile picture
EXPERTO
Steve_M
respondido hace 20 días
profile picture
EXPERTO
Oleksii Bebych
revisado hace 19 días
0

https://docs.aws.amazon.com/AmazonS3/latest/userguide/aws-usage-report-understand.html

In general, S3 bucket owners are billed for all the requests with HTTP 200 OK successful responses, HTTP 3XX redirection responses, and HTTP 4XX client error responses, such as HTTP 403 Forbidden errors. You aren't billed for HTTP 5XX server error responses, such as HTTP 503 Slow Down errors.

profile picture
EXPERTO
Oleksii Bebych
respondido hace un mes
profile picture
EXPERTO
Kallu
revisado hace un mes
0

Hello.

Currently, the system is such that fees are charged even for unauthorized access.
However, as shown in the answer below, AWS has announced that it will be responding soon, so I think it would be best to wait for that response.
https://repost.aws/questions/QUi8gnXsmyQB6DX3isQYqgtA/is-there-any-charge-for-403-requests-over-s3-bucket#AN3gNdcqbqTHGgqbY6OFpNig
https://repost.aws/questions/QUi8gnXsmyQB6DX3isQYqgtA/is-there-any-charge-for-403-requests-over-s3-bucket#AN490V4aUCR1m0qMBZR6lb2g

profile picture
EXPERTO
Riku_Kobayashi
respondido hace un mes
profile pictureAWS
EXPERTO
Didier_Durand
revisado hace un mes
0

Hi,

This issues is well known for a few days: https://www.thestack.technology/an-attacker-could-run-you-up-a-huge-aws-bill-just-by-sending-rejected-requests-to-an-s3-bucket-and-theres-nothing-you-can-do-about-it/

Jeff Barr, our chef evangelist has promised that AWS will address the problem: https://twitter.com/jeffbarr/status/1785386554372042890

So, with a bit a patience, this one should be addressed.

Best,

Didier

profile pictureAWS
EXPERTO
Didier_Durand
respondido hace un mes

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante