AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Billing unauthorized access to S3

0

AWS allows you to keep your buckets private so that nobody can access it. Since you pay for every access to the bucket, this option is crucial in protecting your money to be wasted by an attacker. Reportedly AWS charges the clients also for UNAUTHORIZED access to their buckets. I.e. when someone knows the name of your private bucket and tries to do PUT requests to it, Amazon will bill you for that. Since signed URLs contain the plain text names of your private buckets, that features opens a huge security hole enabling any attacker to inflate your S3 bill.

Therefore I want to ask - is this really true? Is there a clear Amazon statement somewhere in the conditions of their services, in the documentation or elsewhere that clearly state that they DO NOT charge the clients for unauthorized access? This by far does not only hit S3. It may be an issue with any other service. Unauthorized access means that you are defending against that access and therefore you cannot be billed for it. Otherwise such policy would constitute a security hole.

It is clearly not enough to say, that Amazon does not say anything about it. For anyone using Amazon services safely it would be necessary to know that Amazon explicitly states, that they do not charge for unauthorized access. Do they? Where?

주제
클라우드 재무 관리AWS Well-Architected 프레임워크
태그
AWS 청구보안
언어
English
TomFG
질문됨 한 달 전373회 조회
4개 답변
1
수락된 답변

This issue is now addressed - see https://aws.amazon.com/about-aws/whats-new/2024/05/amazon-s3-no-charge-http-error-codes/

Amazon S3 will make a change so unauthorized requests that customers did not initiate are free of charge. With this change, bucket owners will never incur request or bandwidth charges for requests that return an HTTP 403 (Access Denied) error response if initiated from outside their individual AWS account or AWS Organization.

profile picture
전문가
Steve_M
답변함 12일 전
profile picture
전문가
Oleksii Bebych
검토됨 12일 전
0

https://docs.aws.amazon.com/AmazonS3/latest/userguide/aws-usage-report-understand.html

In general, S3 bucket owners are billed for all the requests with HTTP 200 OK successful responses, HTTP 3XX redirection responses, and HTTP 4XX client error responses, such as HTTP 403 Forbidden errors. You aren't billed for HTTP 5XX server error responses, such as HTTP 503 Slow Down errors.

profile picture
전문가
Oleksii Bebych
답변함 한 달 전
profile picture
전문가
Kallu
검토됨 한 달 전
0

Hello.

Currently, the system is such that fees are charged even for unauthorized access.
However, as shown in the answer below, AWS has announced that it will be responding soon, so I think it would be best to wait for that response.
https://repost.aws/questions/QUi8gnXsmyQB6DX3isQYqgtA/is-there-any-charge-for-403-requests-over-s3-bucket#AN3gNdcqbqTHGgqbY6OFpNig
https://repost.aws/questions/QUi8gnXsmyQB6DX3isQYqgtA/is-there-any-charge-for-403-requests-over-s3-bucket#AN490V4aUCR1m0qMBZR6lb2g

profile picture
전문가
Riku_Kobayashi
답변함 한 달 전
profile pictureAWS
전문가
Didier_Durand
검토됨 한 달 전
0

Hi,

This issues is well known for a few days: https://www.thestack.technology/an-attacker-could-run-you-up-a-huge-aws-bill-just-by-sending-rejected-requests-to-an-s3-bucket-and-theres-nothing-you-can-do-about-it/

Jeff Barr, our chef evangelist has promised that AWS will address the problem: https://twitter.com/jeffbarr/status/1785386554372042890

So, with a bit a patience, this one should be addressed.

Best,

Didier

profile pictureAWS
전문가
Didier_Durand
답변함 한 달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠