Amazon AWS S3 Eliminates Ridiculous Error Response Charges to Prevent Developers from Going Bankrupt Overnight

The S3 object storage feature of Amazon's cloud computing platform AWS is widely used by developers and businesses. S3 buckets can store various files and set permissions for public internet access, and many developers store various static files directly in S3 for remote calling.

However, there's an issue. S3 buckets charge for HTTP requests and bandwidth usage, which seems reasonable. But, AWS's billing rules even charge for erroneous requests.

Previously, a developer found that their S3 bucket was being accessed at high frequency by unauthorized individuals. The developer then blocked access from the corresponding IP/User-Agent, which resulted in errors like HTTP 403 when attempting access.

Unexpectedly, this still resulted in a hefty bill from AWS because AWS also charges for HTTP 403 error requests, meaning that even if a specific IP or User-Agent is blocked, continuing high-frequency malicious requests by that entity can generate a huge bill for the developer, potentially bankrupting some developers overnight.

After contacting AWS about the issue, AWS waived the request charge for this case. However, AWS emphasized that this was a legitimate charge, as their billing rules did not specify that HTTP 403 requests were free.

This issue has raised concerns among many developers and businesses. Since the names of AWS S3 buckets are customizable, while the rest of the address is fixed, it's possible to enumerate various bucket names to intentionally inflate bills. This problem is almost unavoidable for developers and businesses, as setting it to 403 or any other error code still incurs charges.

On May 13, AWS announced an important billing update, stating that all unauthorized requests from personal or business AWS accounts in all regions would no longer be charged, including bandwidth fees.

An additional note mentioned that if the request originates from the account owner, HTTP 403 requests will still incur charges. Therefore, developers are advised to check their API KEY and avoid direct calls from their own accounts to prevent accidental 403 errors that would still be billed.

Below are the updated AWS S3 status codes that are not charged (except for owner access):

• HTTP 301
• HTTP 307
• HTTP 400
• HTTP 403
• HTTP 404
• HTTP 405
• HTTP 409
• HTTP 411
• HTTP 412
• HTTP 5XX

Additionally, if developers have set up custom error documents or custom redirects, all requests, regardless of status, will continue to incur request charges and the associated bandwidth fees.