How an empty S3 bucket can make your AWS bill explode \ stacker news ~security

How an empty S3 bucket can make your AWS bill explode medium.com/@maciej.pocwierz/how-an-empty-s3-bucket-can-make-your-aws-bill-explode-934a383cb8b1

562 sats \ 7 comments \ @StillStackinAfterAllTheseYears 30 Apr security

This is both a bad tech and a security thing, but this was the paragraph that caught my eye:

We now understand why my S3 bucket was bombarded with millions of requests and why I ended up with a huge S3 bill. At that point, I had one more idea I wanted to explore. If all those misconfigured systems were attempting to back up their data into my S3 bucket, why not just let them do so? I opened my bucket for public writes and collected over 10GB of data within less than 30 seconds. Of course, I can’t disclose whose data it was. But it left me amazed at how an innocent configuration oversight could lead to a dangerous data leak!

The tl;dr is that even if you reject unauthorized requests for your S3 bucket, AWS will still bill you for them. And also, if you accept those requests, you get a lot of data you probably shouldn't have.

view all related items

56 sats \ 1 reply \ @WeAreAllSatoshi 30 Apr

Also, holy shit, you can just spam the S3 URL with garbage and drive up someone’s bill? Better hope you keep your URLs secret.

@ek do we proxy through the SN API for S3?

106 sats \ 0 replies \ @ek 30 Apr

No, we use presigned URLs and uploads happen on the client

Related HN comment

6 sats \ 0 replies \ @WeAreAllSatoshi 30 Apr

My god that’s a lot of data quickly

21 sats \ 0 replies \ @nym 30 Apr

That’s scary

0 sats \ 2 replies \ @Coinsreporter 30 Apr

Say no to AWS straight away.

Can we have some decentralized open source AWS kinda platform?

27 sats \ 1 reply \ @kepford 30 Apr

LOL

0 sats \ 0 replies \ @Coinsreporter 30 Apr

😂