How an empty S3 bucket can make your AWS bill explode
Billing for Unauthorized S3 Requests
- Many commenters are shocked that 403/Access Denied S3 requests are billable, calling it “bananas” and “customer‑hostile.”
- Others argue unauthorized requests still consume resources, so someone must pay, and AWS is simply following its published pricing.
- Several note that the marginal cost of an auth failure should be far lower than a real PUT/GET, yet pricing is similar or higher (e.g., failed PUTs priced like successful writes).
Denial‑of‑Wallet / Attack Potential
- Strong concern that botnets or cheap VPSs could spam guessed bucket names and create large bills (“economic DDOS”).
- Attack surface is increased by: predictable bucket names (domains, account IDs), pre‑signed URLs exposing bucket names, and old/abandoned buckets.
- Some extend this to other AWS services (CloudFront, API Gateway, byte‑range GETs) as further denial‑of‑wallet vectors.
Mitigations and Workarounds
- Suggestions:
- Use long, random bucket names; delete unused buckets.
- Put S3 behind CloudFront or reverse proxies, though S3’s direct endpoint remains exposed.
- Use private / non‑internet‑routable storage where possible.
- Set CloudWatch billing alarms, Cost Anomaly Detection, and DIY “budget ceilings” via Lambda (no native hard cap).
- Some note you cannot truly “shut down” a bucket without deleting it, and requester‑pays does not shift costs for 403s.
Comparisons to Other Providers
- Claims that GCP and Azure also bill for failed/unauthorized requests, but with nuances; a GCP pricing note says most 4xx/5xx aren’t charged, with specific exceptions.
- Backblaze B2 reportedly does not bill for 4xx and supports spending limits.
Incentives, Responsibility, and Trust
- Multiple commenters see misaligned incentives and “predatory” pricing; others frame it as the tradeoff for highly available, auto‑scaling infrastructure.
- Worries that cloud complexity (S3 auth, access controls, billing) repeatedly creates new classes of user harm (“another Bucketgate”).
- Several say they now prefer fixed‑price VPS / traditional hosting for personal projects to avoid surprise bills.