Recent searches
Search options
Administered by:
> **Lesson 1: Anyone who knows the name of any of your S3 buckets can ramp up your AWS bill as they like.**
>
> Other than deleting the bucket, there’s nothing you can do to prevent it. Standard S3 PUT requests are priced at just $0.005 per 1,000 requests, but a single machine can easily execute thousands of such requests per second.
I’m absolutely flabbergasted that this is okay. How is this okay???
@davidcelis oof that sucks, glad they canceled his bill. technically u could put the s3 in a vpc, or put it behind api gateway and set up endpoint protection with auth types specified by AWS, which will prevent u from being charged for api calls from ddos attacks/unauthorized access. but ya annoying this is so not transparent and convoluted 
@zero_tea huh, the author seems to think that there's no kind of protection to prevent this:
> You can’t protect your bucket with services like CloudFront or WAF when it’s being accessed directly through the S3 API
you'd have to completely disable S3 API access for the bucket; is that actually possible? i figured the only available protections would just cause S3 API access to do something like return a 401, which you'd still get charged for?
@zero_tea also i'm glad they cancelled his bill but the fact that they explicitly said it was an exception rather than revisiting that ridiculous billing practice... they know exactly what they're doing 
@davidcelis not the system working the way it’s designed to work 
i guess that’s why aws billing consultation is a whole business
@davidcelis he’s not wrong using api gateway doesn’t remove s3 api access 