Relief for AWS customers: no charges for unauthorized S3 requests


Amazon Web Services (AWS) will no longer charge for unauthorized requests to S3 buckets (simple storage service).

Cybernews previously reported on the issue of private and empty Amazon S3 buckets being charged for unauthorized requests to access them. One engineer discovered that accidentally choosing a 'cursed' name, which is used in many GitHub repositories, can quickly rack up a large bill.

The vulnerability enabled hackers, who either knew a bucket name or were able to guess it, to initiate many connections, which would be denied. However, the S3 owner would still be charged for each request.

In response, AWS has released a statement saying that S3 will no longer charge for several HTTP error codes if initiated from outside.

“Amazon S3 will make a change so unauthorized requests that customers did not initiate are free of charge. With this change, bucket owners will never incur request or bandwidth charges for requests that return an HTTP 403 (Access Denied) error response if initiated from outside their individual AWS account or AWS Organization,” the statement reads.

Other specific error codes under HTTP 3XX and 4XX status codes will no longer be billed. AWS provides the full table here.

The billing change requires no changes to customer applications and applies to all S3 buckets.

Customers can now breathe easier in all AWS Regions, including the AWS GovCloud Regions and the AWS China Regions. AWS plans to post another update in a few weeks when the deployment is completed.