User beware: choosing the wrong AWS bucket name can lead to a massive bill


A private and empty Amazon S3 bucket (simple storage service) unexpectedly racked up a $1,300 bill in just two days. A cautionary tale by one software developer has revealed that AWS customers are charged for unauthorized failed requests, and some bucket names are cursed.

If an attacker or a rogue service knows or guesses the name of a private AWS S3 bucket, they can initiate many requests to access it. Those will be counted as write operations and taxed at a rate of $0.005 per 1000 requests.

That’s exactly what happened to Maciej Pocwierz, Senior Software Engineer at Semantive.

“I began working on the PoC of a document indexing system for my client. I created a single S3 bucket in the eu-west-1 region and uploaded some files there for testing. Two days later, I checked my AWS billing page, primarily to make sure that what I was doing was well within the free-tier limits. Apparently, it wasn’t. My bill was over $1,300, with the billing console showing nearly 100,000,000 S3 PUT requests executed within just one day!” Pocwierz shared his story on Medium.

To him, it looked like some kind of DDoS (distributed denial of service) attack. However, after checking the logs, it turned out that the real reason was a default configuration of a popular open-source tool to store their backups in an S3 bucket.

“As a placeholder for a bucket name, they used… the same name that I used for my bucket. This meant that every deployment of this tool with default configuration values attempted to store its backups in my S3 bucket!” Pocwierz said. “A horde of misconfigured systems is attempting to store their data in my private S3 bucket.”

AWS support explained to him that S3 charges for unauthorized requests.

The software engineer even demonstrated a simple exploit: anyone knowing a bucket name, even without an AWS account, could try to initiate a connection, which will be denied, but the owner will be charged for each request.

He also discovered that AWS redirects S3 requests without specified region to us-east-1 by default, and redirects cost extra.

Other developers quickly discovered thousands of other references to AWS buckets in GitHub.

But that pales in comparison to the observed security issue. As an experiment, Pocwierz opened his bucket for public writes and observed over 10GB of data flowing in less than 30 seconds.

“I can’t disclose whose data it was. But it left me amazed at how an innocent configuration oversight could lead to a dangerous data leak!” Pocwierz explains.

He learned that a single machine can easily execute thousands of requests per second, and each thousand is priced at $0.005.

Later on LinkedIn, Pocwierz said that he deleted the affected bucket because it was “way too expensive to keep it.”

“I thought about sharing the bucket name publicly, but a malicious actor could steal data of the impacted companies if I did that,” he explained.

While the developers of the vulnerable open-source tool promptly fixed the default configuration, there are many existing deployments of the software with the cursed bucket name.

“AWS was kind enough to cancel my S3 bill. However, they emphasized that this was done as an exception,” Pocwierz said in his blog post.

Jeff Barr, chief evangelist for AWS at Amazon, responded to Pocwierz's story on X.

“Thank you to everyone who brought this article to our attention. We agree that customers should not have to pay for unauthorized requests that they did not initiate. We’ll have more to share on exactly how we’ll help prevent these charges shortly,” he said.

Updated on May 2nd [12:20 p.m. GMT] with a statement from Jeff Barr, chief evangelist for AWS at Amazon