What’s New on AWS

Amazon S3 will no longer charge for several HTTP error codes

https://aws.amazon.com/about-aws/whats-new/2024/05/amazon-s3-no-charge-http-error-codes/

Amazon S3 will make a change so unauthorized requests that customers did not initiate are free of charge. With this change, bucket owners will never incur request or bandwidth charges for requests that return an HTTP 403 (Access Denied) error...

Amazon S3 will no longer charge for several HTTP error codes

Amazon Web Services, Inc.
May 13, 2024 at 6:24pmWeb
Show threadRoyce WilliamsMay 13, 2024
@awswhatsnew inb4 someone sets up C2 infra that returns a 403 with a "random error code" that also happens to be C2 payload / instruction fragments
Show threadDavid ManningMay 14, 2024
@tychotithonus @awswhatsnew ngl this was my first thought.
Show threadwaldiMay 14, 2024
@tychotithonus @awswhatsnew You can change the return message for unauthenticated users? I thought those are rejected way before it gets any actual data.
Show threadRoyce WilliamsMay 14, 2024

@waldi

Yep, you're exactly right for direct connections, but there are workarounds (rpoxy/gateway)

@awswhatsnew

Show threadwaldiMay 14, 2024
@tychotithonus @awswhatsnew But that is no longer S3, so not free?
Show threadRoyce WilliamsMay 14, 2024
@waldi
Yeah, it's a fair point!
@awswhatsnew
Show threadFrancis πŸ΄β€β˜ οΈ GulottaMay 13, 2024
@awswhatsnew lolol thanks
Show threadHelge HeßMay 14, 2024
@awswhatsnew What about 402! πŸ™ˆ
Show threadMatt PalmerMay 14, 2024
@awswhatsnew @tychotithonus and, of course, they'll be refunding charges to customers who have been hit by this in the past, right?
Show threadPeskyPotatoMay 14, 2024
@womble @awswhatsnew @tychotithonus that does seem to be the case which was communicated via a support ticket. Not sure how far back they go but I assume it'll be a case by case basis thing.
Show threadJoelleMay 14, 2024
@RainofTerra
Do they charge for 404s? If not, I can think of a way of having unlimited (albeit slow) reads using 403s for a β€œ1” and 404s for a β€œ0”. ;)
Show threadgkrnoursMay 14, 2024
@joelle @RainofTerra you coukd setup a key/null store. It's like a key/value store but key have no value, they are only set or unset
Show threadwaldiMay 14, 2024
@joelle @RainofTerra You would need to set an really large access policy for that.
Show threadMattMay 14, 2024
@awswhatsnew I wonder if #aws will offer any refunds of existing charges and, if so, how far they will go back
Show threadMaeMay 15, 2024
@awswhatsnew boooo! Lameeee