An attacker could run you up a huge AWS bill just by sending rejected requests to an S3 bucket and there’s little you can do about it

AWS has promised action over “Denial of Wallet” risk

AWS has promised to take action after a software engineer demonstrated a malicious actor could run up a massive cloud bill for you if they know the name of your S3 bucket – just by hammering it with access requests. 

Even if your bucket is set to “private” or protected by Amazon Cloudfront (a Content Distribution Network) such attacks can still work effectively. (A quick search of Github by a Datadog engineer showed the names of over 63,000 customer S3 buckets exposed in AWS’s US East region alone.)

This happens because S3 charges for unauthorised requests even if you did not initiate them. Although AWS lets you toggle “requester pays” on, under a wide range of circumstances the bucket owner is still charged for requests – including if request authentication fails (HTTP code 403), the request is anonymous (HTTP code 403), or the request is a SOAP request.

AWS "Denial of Wallet" attack committed by accident...

In a widely circulated blog titled “How an empty S3 bucket can make your AWS bill explode”, senior software engineer Maciej Pocwierz detailed how he faced an unexpected $1300 bill in a day for a single bucket because an unnamed popular open source tool had set, “as a placeholder for a bucket name, they used… the same name that I used for my bucket.

“This meant that every deployment of this tool with default configuration values attempted to store its backups in my S3 bucket!” he wrote. 

"AWS was kind enough to cancel my S3 bill"

"AWS was kind enough to cancel my S3 bill. However, they emphasized that this was done as an exception," he added.

AWS experts soon confirmed that many “obvious” workarounds were ineffective. AWS security expert Scott Piper noted on X: "If doing things in the most secure and correct way possible can result in run-away charges, then I believe customers could be forced to leave AWS.

"Note that bill was not even due to an attacker trying to burn up the bill! What can you do? Randomly name your S3 buckets and set up billing alarms to move the bucket if an attacker guesses the name is all I know. Note that you can't ‘move’ a bucket, so you have to create a new bucket, copy the files, and delete the old one.”

He added: “Denial of Wallet attacks are a known issue in the cloud, but historically… an attacker had to compromise something for the worst problems, or you had to have something publicly exposed for them to access and there were mitigations. There are likely similar attacks due to quirks of pricing models on not just AWS but other platforms that hadn't taken into consideration someone abusing them in this way.”

Cloud engineers suggested that the issue affected a range of other AWS services too. Even with Cloudfront URL signing, "bucket names can still be accidentally leaked or guessed and unlike an API key, not changed easily," DataDog's AJ Stuyvenberg noted.

AWS Chief Evangelist Jeff Barr swiftly posted: “We agree that customers should not have to pay for unauthorized requests that they did not initiate. We’ll have more to share on exactly how we’ll help prevent these charges shortly.”

As The Stack published AWS did not have further comment or details on a fix.

See also: AWS overhauls IAM control plane after vulnerability exposed users