AWS S3 Is Having Some Serious Issues...

### Transcript {ts:0} I know I know clickbait title I promise you though this is worth it the chaos {ts:4} that is S3 has been frustrating me for years I have tweets going back almost four years ago where I was begging for a {ts:10} better S3 alternative for modern full stack devs I kept getting skill issue S3 is so easy why are you having all these {ts:16} problems thankfully over the last few years especially last few weeks seems like people are finally noticing how {ts:21} painful it can be to work with S3 I have a video that I haven't had a chance to put out just yet where I showcase some {ts:26} security issues with S3 but that's not what we're here to talk about today I will quickly show them so you know it {ts:30} we're talking about S3 specifically how most people suck at securing it and some of the things that can result if you {ts:36} don't set it up correctly tldr S3 pre-signed posts or other ways of uploading files can easily be abused {ts:42} with cross-site scripting or unwanted paths for uploads yep keep an eye out for that video today we're not talking {ts:48} about the security issues around how pre-signed URLs work today we're talking about a chart and some numbers that were {ts:53} very scary this is a picture a chart a chaotic terrifying chart of two empty S3 buckets that suddenly got just an insane {ts:61} amount of empty post requests that is 50 million requests is to each bucket almost 100 million total and this cost … {ts:140} against AWS as it turns out one of the most popular open source tools had a default configuration to store their {ts:145} backups in S3 and as a placeholder for a bucket name they used the same name I had used for my {ts:153} bucket that is actually hilarious oh my God this meant that every deployment of this tool with default configuration … {ts:194} with S3 you're charged for at someplace even if you're not authorized to be doing the thing that you're being built {ts:199} for which is crazy is this is again a private bucket that no one has access to with almost no files in it this is {ts:204} confirmed in their exchange with AWS support as they wrote back S3 charges for unauthorized requests as well that's … {ts:408} source tool they quickly fix the default config although they can't fix the existing deployments yep there's a {ts:413} problem with when you are installing something on your device and not using a server for anything you cannot update