**Jonty Wareing** @jonty@chaos.social · Apr 29, 2024, 21:04

**Jonty Wareing** @jonty@chaos.social · Apr 29, 2024, 21:04

Jonty Wareing @jonty@chaos.social

Apr 29, 2024, 21:04

Jonty Wareing @jonty@chaos.social

User: you charge me when people make unauthorised requests to an S3 bucket?

AWS: yes of course

User: but

AWS: working as intended

User: but

AWS: thank you for your money

https://medium.com/@maciej.pocwierz/how-an-empty-s3-bucket-can-make-your-aws-bill-explode-934a383cb8b1

**Merospit** @merospit@infosec.exchange · Apr 30, 2024, 01:03

**Merospit** @merospit@infosec.exchange · Apr 30, 2024, 01:03

Apr 30, 2024, 01:03

Merospit @merospit@infosec.exchange

@jonty The bucket names are not really secret, as you can make URLs up using them as part of the domain. This is a huge monetary risk for all AWS customers using S3 and doesn't give much credence to the "Shared Responsibility Model" that AWS use whenever they are blamed for security issues.

**dbread** @dbread@qoto.org · 2024-04-30T10:40:53Z

dbread @dbread@qoto.org

@merospit @jonty

Does this apply for #influxdb billing too? The bucket is also simply a part of the query url.

Apr 30, 2024, 10:40 · · · ·

Trending now

Resources

Developers

What is Mastodon?

qoto.org

More…