Billing unauthorized access to S3

Question

AWS allows you to keep your buckets private so that nobody can access it. Since you pay for every access to the bucket, this option is crucial in protecting your money to be wasted by an attacker.
Reportedly AWS charges the clients also for UNAUTHORIZED access to their buckets. I.e. when someone knows the name of your private bucket and tries to do PUT requests to it, Amazon will bill you for that.
Since signed URLs contain the plain text names of your private buckets, that features opens a huge security hole enabling any attacker to inflate your S3 bill.

Therefore I want to ask - is this really true? Is there a clear Amazon statement somewhere in the conditions of their services, in the documentation or elsewhere that clearly state that they DO NOT charge the clients for unauthorized access? This by far does not only hit S3. It may be an issue with any other service. Unauthorized access means that you are defending against that access and therefore you cannot be billed for it. Otherwise such policy would constitute a security hole.

It is clearly not enough to say, that Amazon does not say anything about it. For anyone using Amazon services safely it would be necessary to know that Amazon explicitly states, that they do not charge for unauthorized access. Do they? Where?

Accepted Answer

This issue is now addressed - see https://aws.amazon.com/about-aws/whats-new/2024/05/amazon-s3-no-charge-http-error-codes/

> Amazon S3 will make a change so unauthorized requests that customers did not initiate are free of charge. With this change, bucket owners will never incur request or bandwidth charges for requests that return an HTTP 403 (Access Denied) error response if initiated from outside their individual AWS account or AWS Organization.

Answer

Hello.

Currently, the system is such that fees are charged even for unauthorized access.  
However, as shown in the answer below, AWS has announced that it will be responding soon, so I think it would be best to wait for that response.  
https://repost.aws/questions/QUi8gnXsmyQB6DX3isQYqgtA/is-there-any-charge-for-403-requests-over-s3-bucket#AN3gNdcqbqTHGgqbY6OFpNig  
https://repost.aws/questions/QUi8gnXsmyQB6DX3isQYqgtA/is-there-any-charge-for-403-requests-over-s3-bucket#AN490V4aUCR1m0qMBZR6lb2g

Answer

Hi,

This issues is well known for a few days: https://www.thestack.technology/an-attacker-could-run-you-up-a-huge-aws-bill-just-by-sending-rejected-requests-to-an-s3-bucket-and-theres-nothing-you-can-do-about-it/

Jeff Barr, our chef evangelist has promised that AWS will address the problem: https://twitter.com/jeffbarr/status/1785386554372042890

So, with a bit a patience, this one should be addressed.

Best,

Didier

Answer

https://docs.aws.amazon.com/AmazonS3/latest/userguide/aws-usage-report-understand.html

> In general, S3 bucket owners are billed for all the requests with HTTP 200 OK successful responses, HTTP 3XX redirection responses, and HTTP 4XX client error responses, such as HTTP 403 Forbidden errors. You aren't billed for HTTP 5XX server error responses, such as HTTP 503 Slow Down errors.

Billing unauthorized access to S3

関連するコンテンツ