Using Amazon Web Services (AWS) can be a boon for developers, but one small oversight in naming an S3 storage bucket almost cost Maciej Pocwierz a significant amount of money. Pocwierz learned the hard way that picking a generic name for an S3 bucket can lead to unexpected and costly consequences.
It all started when Pocwierz chose a seemingly innocuous name for his S3 storage bucket, unaware that a popular open-source tool was also used as the default backup configuration. Within just one day, his bucket received nearly 100 million unauthorized attempts to create new files, resulting in a bill of over $1,300 and climbing.
The situation was particularly distressing for Pocwierz, who had assured his client that the cost of AWS services would be minimal, only to be faced with a bill that far exceeded his expectations. The sheer volume of unauthorized requests made it appear that he was unaware of how to manage AWS resources properly.
While Pocwierz declined to name the open-source tool responsible for the flood of requests, he highlighted the broader issue of default configurations leading to unintended consequences. In a Medium post recounting his experience, Pocwierz emphasized the importance of promptly addressing such vulnerabilities, especially when they involve exposing sensitive data from other companies.
Fortunately, Pocwierz’s ordeal had a somewhat positive resolution. An AWS representative reached out and canceled his bill, citing it as an exception. However, Pocwierz stressed that this should not be the standard procedure and that AWS should take proactive measures to prevent similar incidents in the future.
In response to the incident, Jeff Barr, chief evangelist for AWS at Amazon, acknowledged the need for customers to be protected from unauthorized charges and stated that the company would be exploring ways to prevent such occurrences.
Pocwierz’s story serves as a cautionary tale for developers using AWS services. In addition to avoiding generic bucket names, he recommends adding a random suffix to bucket names and specifying the AWS region explicitly to mitigate the risk of unauthorized access and potential financial loss.