這算是一連串的故事,首先是四月底的時候「How an empty S3 bucket can make your AWS bill explode」這篇,提到了他一個晚上收到了 US$1,300 的帳單,因為有人 (沒有權限的人) 對他的 S3 bucket 狂打了 100M requests (一億筆),雖然都是 403 的 access denied,但還是得付 request 與頻寬的費用。
對於想要搞的人來說,us-east-1
的 Amazon S3 費用是 $0.005/1K requests (PUT, COPY, POST, LIST requests),換算大一點的單位是 $5/1M requests,拿個 ab 之類的工具超級簡單就可以打出破千 reqs/sec,如果是 k6 之類的工具,其實一台電腦就蠻容易打爆?
作者聯絡 AWS 客服後,客服回答你需要付這筆費用 (「這不是 bug,是 feature」):
Yes, S3 charges for unauthorized requests (4xx) as well[1]. That’s expected behavior.
然後這件事情就在社群傳開了,傳到 Jeff Barr 後直接公開提到他認為客戶不應該付 unauthorized request 的 cost (應該是先跟內部其他高層討論過了),等於是宣佈了會改掉:
Thank you to everyone who brought this article to our attention. We agree that customers should not have to pay for unauthorized requests that they did not initiate. We’ll have more to share on exactly how we’ll help prevent these charges shortly.#AWS #S3
How an empty S3…
— Jeff Barr ☁️ (@jeffbarr) April 30, 2024
不過這件事情之前應該就有人提過了,結果 Colin Percival 直接戳,他在 2006 年 Amazon S3 剛出來的時候就提過了:
For the record, I pointed out this issue to the Amazon S3 team in 2006. They recommended keeping my S3 bucket names secret. https://t.co/P4jTYkAE7S
— Colin Percival (@cperciva) April 30, 2024
Anyway,兩個禮拜過去後,剛剛看到宣佈收費方式修改:「Amazon S3 will no longer charge for several HTTP error codes」。
針對從不屬於自己帳號所產生的 403 不收費 (包括 request 與頻寬費用):
With this change, bucket owners will never incur request or bandwidth charges for requests that return an HTTP 403 (Access Denied) error response if initiated from outside their individual AWS account or AWS Organization.
然後多了一頁「Billing for Amazon S3 error responses」專門說明這件事情,這邊列的比較完整,除了 403 以外也包含了其他的 HTTP response code 是不收費的:
The current page shows a full list of HTTP 3XX and 4XX status codes that won't be billed.
補了一個 18 年的洞...