How an empty S3 bucket can make your AWS bill explode

Billing for Unauthorized S3 Requests

  • Many commenters are shocked that 403/Access Denied S3 requests are billable, calling it “bananas” and “customer‑hostile.”
  • Others argue unauthorized requests still consume resources, so someone must pay, and AWS is simply following its published pricing.
  • Several note that the marginal cost of an auth failure should be far lower than a real PUT/GET, yet pricing is similar or higher (e.g., failed PUTs priced like successful writes).

Denial‑of‑Wallet / Attack Potential

  • Strong concern that botnets or cheap VPSs could spam guessed bucket names and create large bills (“economic DDOS”).
  • Attack surface is increased by: predictable bucket names (domains, account IDs), pre‑signed URLs exposing bucket names, and old/abandoned buckets.
  • Some extend this to other AWS services (CloudFront, API Gateway, byte‑range GETs) as further denial‑of‑wallet vectors.

Mitigations and Workarounds

  • Suggestions:
    • Use long, random bucket names; delete unused buckets.
    • Put S3 behind CloudFront or reverse proxies, though S3’s direct endpoint remains exposed.
    • Use private / non‑internet‑routable storage where possible.
    • Set CloudWatch billing alarms, Cost Anomaly Detection, and DIY “budget ceilings” via Lambda (no native hard cap).
  • Some note you cannot truly “shut down” a bucket without deleting it, and requester‑pays does not shift costs for 403s.

Comparisons to Other Providers

  • Claims that GCP and Azure also bill for failed/unauthorized requests, but with nuances; a GCP pricing note says most 4xx/5xx aren’t charged, with specific exceptions.
  • Backblaze B2 reportedly does not bill for 4xx and supports spending limits.

Incentives, Responsibility, and Trust

  • Multiple commenters see misaligned incentives and “predatory” pricing; others frame it as the tradeoff for highly available, auto‑scaling infrastructure.
  • Worries that cloud complexity (S3 auth, access controls, billing) repeatedly creates new classes of user harm (“another Bucketgate”).
  • Several say they now prefer fixed‑price VPS / traditional hosting for personal projects to avoid surprise bills.