No More Paying for Nothin’: Amazon S3’s Zero-Charge HTTP Error Codes

  • 13/05/ 2024
  • Blog
s3-image
No More Paying for Nothin’: Amazon S3’s Zero-Charge HTTP Error Codes

Denver, Colorado (MAY 13, 2024) – Ah, the joys of dealing with HTTP error codes. Nothing says “good times” like your application going haywire over a 404 or a 500 error. If you’ve ever wondered if there’s a way to make dealing with these errors just a bit less painful, Amazon S3 has some good news for you. Today, AWS announced that HTTP error codes from S3 will no longer cost you a dime. Yup, you read that right. Zero. Zilch. Nada. No more crying over spilled 403s!

But let’s rewind a bit and look at how we got here. It all started with a hilariously tragic tale on Medium titled “How an Empty S3 Bucket Can Make Your AWS Bill Explode.” It’s the kind of story that starts with a routine day and ends with a cloud engineer crying into their coffee. You see, it wasn’t just a simple misconfiguration; it was a comedy of errors involving open-source tools, misdirected backups, and a hefty bill that could make even the most hardened DevOps pro break into a cold sweat.

The Tale of the Exploding Bucket

Imagine you create an empty, private AWS S3 bucket in a region of your choice. What will your AWS bill be the next morning? Our protagonist found out the hard way. While working on a proof of concept for a document indexing system, he created an S3 bucket and uploaded some files for testing. A couple of days later, he checked his AWS billing page, expecting everything to be well within the free-tier limits. Surprise! His bill was over $1,300, thanks to nearly 100,000,000 S3 PUT requests executed within just one day.

Where Were These Requests Coming From?

AWS doesn’t log requests against your S3 buckets by default, but after enabling CloudTrail logs, it became clear: thousands of write requests were bombarding his bucket from multiple accounts. It turned out that a popular open-source tool had a default configuration to store backups in S3, using the same name as our protagonist’s bucket. Every deployment of this tool with default values attempted to store its backups in his bucket!

S3 Charges for Unauthorized Requests

Adding insult to injury, AWS charges for unauthorized requests, even those that result in a 4xx error. So, if someone tries to write to your bucket and gets an AccessDenied error, you still get billed. And, if that weren’t enough, requests without a specified region default to us-east-1, which means additional costs for redirected requests.

The Security Angle

With all those misconfigured systems trying to back up their data into his S3 bucket, our hero decided to open it for public writes. Within less than 30 seconds, he collected over 10GB of data from various sources, revealing just how dangerous an innocent configuration oversight could be.

Lessons Learned

  1. Anyone Who Knows Your Bucket Name Can Ramp Up Your AWS Bill: There’s no foolproof way to protect your bucket from being accessed directly through the S3 API.
  2. Use Random Suffixes for Bucket Names: This reduces vulnerability to misconfigured systems and intentional attacks.
  3. Specify the AWS Region Explicitly: Avoid additional costs from S3 API redirects.

Aftermath

The open-source tool maintainers fixed the default configuration, AWS kindly canceled the massive bill (as a one-time exception), and our protagonist learned some valuable lessons.

AWS to the Rescue

Fast forward to today, AWS decided to ease the pain. As of now, Amazon S3 HTTP error codes will no longer cost you a penny. Whether it’s a 403, 404, or even the dreaded 500, those errors are now free of charge.

This change is a game-changer for businesses big and small. It means more predictable billing, fewer unpleasant surprises, and a bit more wiggle room to innovate and, yes, occasionally mess up without financial penalty. This is AWS saying, “Hey, we get it. Sometimes things go wrong. Let’s not add to your troubles.”

So, here’s to AWS for making life a bit easier and a lot less expensive for us all. Let’s raise a virtual toast to no more paying for HTTP error codes. Next time you see a 404, instead of a grimace, you can afford a little smile. After all, it’s on the house now.

Happy (error-free) clouding, everyone! 🌥️

AdobeStock_537430334_Editorial_Use_Only (1)

About Cloud303

Specializing in Amazon Web Services (AWS) Cloud303 provides a comprehensive array of cloud computing services and expertise. From Infrastructure as a Service (IaaS) to Managed Services and Consulting, Cloud303 has a proven track record of serving Fortune 100 clients. The company prides itself on aligning its solutions with the AWS Well-Architected Framework, guaranteeing secure, efficient, and scalable operations in the cloud.

Other Recent Blogs

  • 20/09/ 2023
  • Press Release
Cloud303 Achieves AWS CloudFormation Service Delivery Program Designation

Cloud303, a front-runner in cloud solutions and an AWS Premier Partner, has announced its successful attainment of the AWS CloudFormation Service Delivery Program (SDP) designation. This achievement validates the company’s expertise in automation and infrastructure management, cementing its role as an industry leader in AWS services.

  • 5/12/ 2023
  • Press Release
Cloud303 Achieves Fifth Service Delivery Program Designation with AWS WAF

Accolade underscores Cloud303’s dedication to mastering AWS technologies and unwavering commitment to delivering top-tier web application security solutions.

  • 21/10/ 2023
  • Press Release
Cloud303 Recognized as Amazon ECS Experts with Service Delivery Program Designation

Accolade validates Cloud303’s dedication to implementing Amazon ECS and AWS Fargate services.