- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
You must log in or register to comment.
“By design” AWS bills project owners for unauthorized calls to the public S3 API.
So what I’m reading from this is you can do a billing attack on anything hosted in AWS so long as you know one of their bucket names.
Seriously, now that this is more widely known, it’ll for sure be taken advantage of a lot, to the point AWS will begrudgingly protect their customers once the damage is done.
You shouldn’t be charged for unauthorized requests to your buckets. Currently if you know any person’s bucket name, which is easily discoverable if you know what you’re doing, that means you can maliciously rack up their bill just to hurt them financially by spamming it with anonymous requests.
This is insane.
lol dude, I’ve known several people who have worked at AWS for years, and the amount of duct tape and bailing wire Mickey Mouse shit that I’ve heard goes on there just… does not inspire confidence.
As it turns out, one of the popular open-source tools had a default configuration to store their backups in S3. And, as a placeholder for a bucket name, they used… the same name that I used for my bucket.
It’s completely insane that the tool would attempt to connect to a nonexistent bucket for backups by default instead of just… having them disabled completely?
A great post, interesting and to the point.
Please use scribe.rip instead of medium.com for articles
It’s fine if you dislike a site. But the correct thing to do is not consume their content, not to work around it.
Medium is the journalistic version of the gig economy apps, mixed with a bit of digital landlording. The correct thing to do here is to bypass any of Mediums paywalls you might run in to.
AWS was kind enough to cancel my S3 bill. However, they emphasized that this was done as an exception.
Dicks.
Wow, makes one fearful to even use AWS. Yikes!
Definately required reading for those who use AWS.
