AWS footgun
I’ve been using AWS many years now for many different things, and it goes without saying that it requires its own set of skills to use correctly.
S3 buckets
At first there was the danger of public S3 buckets, AWS made a lot of changes to prevent those from being created. Still businesses are leaking patient data and all sorts of goodies on S3 buckets, but at least they can’t say they haven’t been warned.
Now I just found out that it doesn’t matter if you have a 100% private bucket, anyone can still send PUT requests to it that are unauthorized and billed to your account.
That means you have to rely on security by obscurity, and any S3 bucket name now becomes a password preventing a malicious actor from raising your bill to thousands of dollars.
S3 static site hosting
S3 static site hosting recommends you to create buckets that match your domain, so you’ve already leaked your bucket name right there. Which is why all my static sites these last 4 years have been using Cloudfront and randomized bucket names.
This also adds a cache infront preventing clients from sending exhausting requests directly to S3.
Elasticbeanstalk
I haven’t used this in 5 years but I still had two empty buckets left over with predictable names containing my account ID. Quite unintuitively I had to first delete their permissions policy before I could delete the buckets.
As we read recently, AWS leaks account IDs and do not consider them private.
Mitigation
So I’ve been cleaning up my buckets today and I will be changing my randomized strings from 8 to 16 characters ASAP, and of course ensure the full bucket name only exists in your private Terraform state.
Obviously you should have a budget alert, but so far there is no budget ceiling feature in AWS. You just have to hope that budget alert reaches you in time.
Budget alerts can be tied to Lambdas so I really hope someone comes up with a clever way to automatically shutdown or pause services based on budget alerts.
With powerful AWS comes great responsibility
To their credit, AWS offers a very powerful platform to do amazing things on, and you can solve all these problems with enough setup. But it is tempting for a lot of people to use AWS without knowing what they’re doing, as seen on the AWS subreddit people have been billed thousands of dollars shooting their own foot off with AWS.