My business has used AWS for around 3 years and our normal usage is $1k per month in EC2 and S3. In early March a hacker accessed our AWS account through my login via an IP address in Austria (I'm in Austin, TX). They spun up 3 large instances of EC2 which began charging us $1k-$2k per day.
In mid-April, while reviewing our books for the month of March, I saw a $26k charge from AWS. I thought it was a typo as $2.6k and asked the accountant. She stated that was the correct amount. I immediately got my dev team involved and we discovered the 3 instances to which we did not have any access to and stopped them immediately.
I opened a support case immediately which somehow got posted twice. Because the case was posted twice, the support team marked both cases as duplicates. I reopened one of the cases, it was resolved again as a duplicate. This has now happened several times.
I Googled around looking for a way to escalate this matter and found the following emails and cc'ed them on May 5th with an urgent plea via the original support case thread with another summary of the issue and links to my cases with my phone number to no avail. ams-csdm@amazon.com ams-opsmanager@amazon.com, ams-director@amazon.com, ams-vp@amazon.com
That email was ignored and I'm not sure where I can turn to next. I've tweeted about this and tagged AWS here - https://twitter.com/csakon/status/1391873413107617799?s=20
I'm not sure where to go next, can anyone give me any advice?
Anyway, it's important to frame what happened correctly: the security of someone on your team was sloppy, and most likely a bot was able to get an access key or access to one of your accounts, spin up crypto miners on EC2s and now you're responsible for the bill. If it hadn't been that, it'd have been ransomware, you probably got lucky.
Now, to see if your situation can be improved: Put up some dollars and get business support. Make a clear and polite case, from the beginning. Ask for a refund but you don't have grounds to demand it; if they issue one, it's a gesture of good will. They probably will issue one if you haven't had to ask for that before, but it reflects badly on everybody that cryptominers weren't caught for two months.
And before you create that ticket, make some billing alerts so you can show AWS support that this won't happen again.
I don't know what "generally" means here or what you're basing the claim on, but I'm with an organization that pays a lot of money to AWS and they regularly ghost us after giving a wrong or incomplete "works for me"-style answer.
I have no idea why we're paying.
They don't suck once they actually start doing something, but they do seem to have KPIs which incentivise wasting my time.
As much as I'd like to agree with you, AWS makes controlling this WAY too stupidly difficult.
Out here in the real world, many of us are part of startups that have 4 people and a dog. We wear many hats, and "AWS Billing Expert" is not one we have time for.
I actually grind my teeth and recommend Azure to most small companies on this alone. GCP is nice, but I simply won't recommend them due to Google.
However, sometimes AWS has "that service" that you really need. And I just have to caution people that AWS will not protect you.
AWS could solve this. Simply allow people to opt into a hard stop on spending--some of us would rather be down than overspend. Let us make that choice.
The fact that AWS absolutely refuses to solve this speaks volumes.
Hard stop on spending would delete all your data and would not cover things which are billed e.g. monthly. There are AWS budget actions which address some of the issues (e.g. can put a hard deny on any actions or stop your EC2 instances), admittedly a relatively new service.
I was at fault for the double post of the support case, but that was a simple error on my part due to not thinking the first went through.
Once access was made, we were completely unaware of their existence until I saw the charges and asked our devs about it. They said they didn't have any knowledge or access to these new instances.
I appreciate the advice, will upgrade the support and try again.
Why? Because they serve just about every use case and scenario. I've myself spun up $5k/day resources on accounts that did four magnitudes less / day before that. There are some limits by default which you can get raised, but they're not going to prevent a $50k bill - at best, they're here to prevent a $500k one.
Anyway I agree they could make it clearer that you have to do all this crap yourself but it makes for a poor sales pitch.
This sounds like a cautionary tale. I have spending alarms on my personal account for this very reason, I'll know within 5-10 minutes if my monthly spend is going to break $50 because I've set up my alarms.
Your other option is to start a Cloudtrail and alarm on foreign IPs that are logging in, new IAM users and keys being created and changes to any alarms you have in place to check for this stuff. It won't necessarily stop it, but you'll be able to react a lot faster.
It’s not on AWS to flag anything. They give you the tools to comprehensively monitor your account, but you choose not to use them. Cloudwatch is also “standard”. Datadog has a free tier, I’d suggest checking that out because you don’t seem to have any infrastructure monitoring?
I’d honestly hire some people that have experience in this area, because your “dev team” sounds clueless.
CloudWatch is standard AWS, or what do you mean?
Amazon gives you all the tools to monitor your usage and management of the cloud. You did not use those tools, had sloppy security and now it is Amazon's fault?
Take it as an expensive lesson learned. And get someone who knows what they are doing in AWS to administer it. Maybe your company was pennywise pound foolish by not having someone who knew AWS?
My average ticket response with paid AWS Developer is probably 72+ hours, and that's just for the initial triage what's up query.
Unless you are either a seasoned Linux developer with many years of Linux internals experience, or you have an enterprise level account, all of the lower class AWS support rungs are largely meaningless.
We had a few training and introduction sessions with their people and it usually ended with us tuning out/joking about their useless slides and presentations (with "inspiring" Jeff Bezos quotes and brags about the number of packages ordered on Amazon.com that have 0 relevance for anything our company would like from AWS) in a private channel.
Billing team is separate anyway. You get a better "treatment" if you're paying (as in, they will look at your case closer), but you have access to the same service regardless.
Whether the original security breach was the user's fault or not, Amazon Support dropped the ball here.
Business and enterprise tier are 24 hours, and will be dealt with by more experienced technicians within an hour.
Have you contacted the FBI and Europol? A police report is the first thing you need before any company starts taking you seriously about crime being committed on your billing accounts.
https://www.fbi.gov/investigate/cyber
https://www.europol.europa.eu/report-a-crime/report-cybercri...
In my case we’ve got a miner on our jenkin for a day. I just call my aws sales rep and he get me a free lunch and a few credit to pay the business support for 1 month, then open the ticket through that business support. At the end of the week aws gave us extra credits around 10% of our yearly usage.
I don’t think they will waived all yours 26k. Thats your dev team fault and also your finance team or whoever that don’t watch the billing. But they can give you a lot of aws credit for many reason (promising startup, loyal customer, big company, etc)
As a busy founder, I'll just go with the providers that don't chain me to their dashboard/email instead of providing meaningful caps.
It seems earning money from users' mistakes is part of their business model.
Yes, resource limits are not a silver bullet. Users will complain when their important service goes down because it would have gone slightly over budget during "normal" use. Implementing it in a reasonable way is not perfectly simple. Probably you want separate limits for network, storage, and processing as well as different ways to enforce the limit. Deleting all S3 data might not be what many users would want. They might still be willing to pay for keeping the existing data.
And obviously changing the limit must not be possible with the same credentials that allow you to use resources. Another fundamental challenge.
But with the size of AWS's business there is no excuse not to implement anything. They just value profit over customers.
(Sorry, not a reply to the original poster's question. I don't have anything significantly different from what has been mentioned by others.)
- Create a root account that's only used for consolidated billing and account recovery. Secure it with 2FA. I use TOTP saved on my Yubikey and my backup Yubikey with the setting that requires a physical touch to generate a code.
- Create organizational accounts for every day use. The exact way to structure them can get complicated, but there's a fair bit of documentation on it.
- Set up budget alerts and budget actions before you start using a resource type.
- Only create users with permissions to access resource types with budget actions set up.
It reminds me of SELinux where the permissions are difficult enough to deal with that you can write an audit log while performing an action and simply enable all the permissions that were logged.
The second biggest problem is that runaway billing is far worse for small users than for large users and big tech only cares about other big users because that's where the money is. Everything revolves around catering to huge users who don't care if they need to hire a consultant to tame their AWS billing, so the smaller users and startups are left with systems that are far too complex to meet their needs.
I prefer the way Digital Ocean works, but there are some things you just can't do with them. For example, Lambdas and SES don't have good alternatives at DO.
I also like Cloudflare Workers since I find it significantly easier to reason about price in the context of cost per execution instead of the complex formula used for Lambdas, etc.. I think Cloudflare is in a very good position to claw market share from the big clouds, but their Workers Unbound is pretty much a copy of Lambdas, Functions, etc. in terms of pricing structure, so it looks like they might be starting to go after those fat egress charges that everyone else makes their money from.
Overall the best defense is defense in depth - use MFA for all human accounts, use IAM roles wherever possible, don't put stuff in public subnets, use restrictive firewall rules, follow least privilege principle, use secrets manager or similar services for storing credentials. You could write a book about it. Many people pretty much have.
i had set up some billing alerts on my AWS and it was just all terrible and sh*tty, clicking around in a million places to get not what i actually wanted.
i thought about building my own service to just let me know a daily total of my expected bill at the end of the month
then i'd add stuff to tell me about fast-increasing charges, as quickly as was necessary depending on the steepness of the charge rise curve.
then i found Billgist, which i tried for a bit -- it worked great, looks great, etc., so i'm not building my own. no connection to them.
i used it at first just to see if it worked at all, then to see if it sucked (in which case I would prob try to build my own), and then ultimately to try to help me get comfortable with the idea that i probably wasn't going to wake up one beautiful Saturday morning to a $50k AWS bill.
that never worked -- that is, i never got comfortable with the idea that I would _not_ wake up to a $50k AWS bill one beautiful Saturday morning -- it just seems completely plausible, even likely.
so i shut down most of my aws stuff (i was always particularly worried about my Lambda stuff), moved some things to Digital Ocean, and i'm guessing i'll revisit AWS at some point when i reach some critical mass of:
* "i actually need AWS", and
* "i actually have something to implement that has the possibility of making money", and
* "i'm comfortable, thru my own alerts/billing limits/cutoffs/aws-expertise, that i probably won't wake up to that $50k hacker AWS bill".
tho you can log in thru the console and check this estimate for free.
one of the things you get charged for is 'Configs' -- pretty much any config setting you've customized in any way -- permissions, roles, tags (?), etc.
i understand the logic, but damn -- i'm trying to use AWS so i can get things done, not so i can worry about the costs of every. single. not-completely-optimized. miniscule. design decision. down to the penny. nickle and diming would be a luxury.
i can imagine my hypothetical company's AWS Cost Saving Specialist coming to me and saying, "I'm glad you've set up this incredibly fast and secure and resilient system, but....we need to save a few bucks, so....yeah, i'm gonna need you to come in tomorrow...."
i may have a former co-worker that works there - if you run out of options i'll try to ping someone in my chain, see if i can contact them.