Copy-pasting from Slashdot -
How an Empty S3 Bucket Can Make Your AWS Bill Explode (medium.com) 55
Posted
by
msmash
on Tuesday April 30, 2024 @03:10PM
from the oops dept.
Maciej Pocwierz, a senior software engineer Semantive, writing on Medium:
A few weeks ago, I began working on the PoC of a document indexing
system for my client. I created a single S3 bucket in the eu-west-1
region and uploaded some files there for testing. Two days later, I
checked my AWS billing page, primarily to make sure that what I was
doing was well within the free-tier limits. Apparently, it wasn't. My
bill was over $1,300, with the billing console showing nearly
100,000,000 S3 PUT requests executed within just one day! By default,
AWS doesn't log requests executed against your S3 buckets. However, such
logs can be enabled using AWS CloudTrail or S3 Server Access Logging.
After enabling CloudTrail logs, I immediately observed thousands of
write requests originating from multiple accounts or entirely outside of
AWS.
Was it some kind of DDoS-like attack against my account? Against AWS? As it turns out, one of the popular open-source tools had a default configuration to store their backups in S3. And, as a placeholder for a bucket name, they used... the same name that I used for my bucket. This meant that every deployment of this tool with default configuration values attempted to store its backups in my S3 bucket! So, a horde of misconfigured systems is attempting to store their data in my private S3 bucket. But why should I be the one paying for this mistake? Here's why: S3 charges you for unauthorized incoming requests. This was confirmed in my exchange with AWS support. As they wrote: "Yes, S3 charges for unauthorized requests (4xx) as well[1]. That's expected behavior." So, if I were to open my terminal now and type: aws s3 cp ./file.txt s3://your-bucket-name/random_
Was it some kind of DDoS-like attack against my account? Against AWS? As it turns out, one of the popular open-source tools had a default configuration to store their backups in S3. And, as a placeholder for a bucket name, they used... the same name that I used for my bucket. This meant that every deployment of this tool with default configuration values attempted to store its backups in my S3 bucket! So, a horde of misconfigured systems is attempting to store their data in my private S3 bucket. But why should I be the one paying for this mistake? Here's why: S3 charges you for unauthorized incoming requests. This was confirmed in my exchange with AWS support. As they wrote: "Yes, S3 charges for unauthorized requests (4xx) as well[1]. That's expected behavior." So, if I were to open my terminal now and type: aws s3 cp ./file.txt s3://your-bucket-name/random_
No comments:
Post a Comment