Facepalm: Amazon S3 buckets, part of the Amazon Web Services infrastructure, are great for storing and managing huge amounts of data at scale, but they can also become a financial and security risk if used with poor default configurations.

Using a private AWS S3 bucket with a simple, easy-to-guess name could quickly become a financial disaster for even the simplest cloud project. A developer named Maciej Pocwierz discovered this hard truth while working on a document-indexing system for a client, and chose to share the experience to make everyone using the AWS platform aware of the issue.

In a recent Medium post, Pocwierz said that he created a single S3 bucket in the eu-west-1 region of the AWS platform to upload and test some files. Just two days later, the developer checked the AWS billing page and discovered he was already charged $1,300. Pocwierz was expecting to “do well” within the free-tier of the service, but the S3 bucket recorded nearly 100 million attempts to create new files through PUT requests instead.

As later confirmed by AWS support, S3 charges customers for both legit and unauthorized incoming requests. Upon investigating the issue, Pocwierz discovered that one of the popular open-source tools he used had a default configuration to store backups in S3. The tool’s default bucket name and the one chosen by the developer to test his project turned out to be exactly the same.

Every single instance of the aforementioned tool was trying to save backup files on his freshly-opened bucket, and Amazon was billing accordingly. Pocwierz didn’t disclose the tool’s name, as it would have become a significant risk for the unspecified number of companies using that very same tool.

The developer tried to test this potential security and privacy nightmare by opening his bucket to public writes. In just 30 seconds, the now-writable bucket recorded over 10 gigabytes of data coming from every corner of the internet. He contacted some of the companies affected by the issue, but they seemingly chose to “completely ignore” him.

Pocwierz was fortunate to have the unwanted bill canceled with the help of AWS support, even though the company confirmed that the system was functioning as expected. AWS Chief Evangelist Jeff Barr said on X that customers “should not have to pay” for unauthorized write requests that they did not initiate, anticipating some helpful changes on the matter to arrive “shortly.”

The developer also got in touch with the team behind the unnamed tool, and the devs decided to change the default configuration of the software to fix the issue. He also said that S3 customers could significantly enhance the security of a project by adding a random suffix to their bucket names.


Source link