AWS Billing of Failed Requests to S3

A Lesson in Cloud Responsiveness and Zealotry

This week, AWS addressed the concerns that came up two weeks ago over how unauthenticated failed requests were billed to S3 buckets, leading to fears of potential malicious attacks, which could cause incredibly high cloud bills. Some feared that an S3 bucket name, information not previously considered a secret worth safeguarding, attackers could cause devastating financial losses.

On April 29, Maciej Pocwierz posted an article about unexpected charges to his accidentally popular S3 bucket. He speculated that malicious actors could send unauthenticated requests to a bucket, potentially leading to millions of dollars in charges. This article quickly gained attention. (Medium.com)

Twitter erupted over the news, with many cloud skeptics jumping on the bandwagon.

My response to anyone sharing this article was simple: "This is unlikely to survive the pressure from going viral or the first lawsuit over the charges."

Jeff Barr, Chief Evangelist at AWS, promptly addressed these concerns on Twitter the following day. He assured users that changes to S3 billing were underway to prevent such scenarios from negatively impacting customers. Skeptics remained unsatisfied and mocked the statement as having no weight or value. (Twitter)

On May 13, AWS updated their S3 documentation to reflect that they are rolling out an update to stop unauthenticated failed requests from being billed to users. They will fully update the documentation once the rollout is complete. (AWS S3 documentation)

It's essential to remember that public clouds are businesses aiming to make a profit, but it's misguided to assume malevolence. Public clouds, including AWS, are not here to exploit their customers. They operate with the goal of providing reliable and secure services. Any assumption otherwise is unfounded zealotry.