Risks with Amazon S3 and costs

Question

I have little security knowledge and looking at image hosting for a startup:

Considering S3 doesn't allow you to set a cap on costs, how likely is it that someone could flood S3 with requests for my files and run up a considerable amount of money?

Say I have a 2MB document, is it possible for someone to send millions of requests to that get file?

From what I understand the costs for an end user requesting a file is:

Request Pricing:

GET and all other Requests † $0.01 per 10,000 requests

Data Transfer Pricing:

Up to 10 TB / month $0.120 per GB

Does that pricing mean this is a non-issue?

Does Amazon S3 have security measures in place to stop something like that happening?

Answer 1

Figure out the cost level where you start getting uncomfortable.

Calculate the GB that would need to be transferred to reach that cost level.

See if you think an attacker will be willing to spend that much effort to hurt you for that amount of money.

Every time I run this calculation I end up thinking that if somebody hated me that much, they could certainly find an easier way to hurt me.

For example, a million downloads of your 2MB document is going to cost you about $240 in data transfer charges plus $1 in request charges. To create this cost to you, the attacker is going to have to download 2,000 GB (2TB). That's weeks of completely filling up a 10Mbps line. Just for a measly $240 impact.

Amazon generally doesn't discuss publicly all of the security measures they have in place to stop DOS, DDOS, and other attacks against their customers. In one whitepaper, Amazon says: "Proprietary DDoS mitigation techniques are used." Of course, it's not always easy to differentiate between a DDOS and a popular resource :-)

You can read more about Amazon Web Services security on their site:

http://aws.amazon.com/security/

Answer 2

Agree with Eric.

Another point: DOS/DDOS are nasty attacks that relatively easy to make and hard to protect on application level. Think about what other option you have. Let’s say you will go to some other hosting provider and will get same attack, will it be better or worse? With Amazon at least you can be sure that you will continue to have service and it’s not going to crash under DOS.

Other thing that you may want to check is if you can make your document size smaller (use pdf and not word, change image quality etc.)

Answer 3

Although S3 don't allow you to set a cap on costs, there's nothing to stop you setting a cap yourself.

Add into your application soft limits which alert you if you are going well above your historical high points, and hard limits set at a reasonable level loss. That way you get to decide what is reasonable and what isn't, according to your budget.

Answer 4

In order to monitor your costs more than once a month you can enable what is called Bucket Logging. With this enabled you get the equivalent of web server access logs for your bucket delivered to you. You can then keep track of how many bytes have been transferred and by whom so there are no surprises at the end of the month.

Answer 5

You can add logging to your account, and then monitor the logs for activity spikes.

Still, though, wish that Amazon had some sort of limits on S3. When I set up a client with their own private S3 account, this is a small problem - users can generate public URLs to say some funny cat video.... - But this has never actually happened.

Another thing you can do is to set up the account with a credit card that has a low credit limit. (Don't use the platinum card).

I have had some small MB sized assets in the public on S3 for a few years, and the bill on them is always microscopic.