
Ben Potter
320 posts

Ben Potter
@benji_potter
Founder of FIRCY. ex AWS security leader. Ambassador for #NoMoreRansom. Tweeting cyber and cloud.



So apparently if someone knows / guesses the name of your S3 bucket - even if it's private (!) - they can just bankrupt you by sending infinite PUT requests and there is nothing you can do about it. > requests get rejected > but AWS still counts it as a write operation against your account for which you have to pay at a rate of $0.005 per 1000 requests This seems insane to me. Especially because a lot of services rely on presigned URLs for uploads / downloads which exposes your bucket name to the client. In this case the author got their bill waved, but AWS support made it clear it's an exception not the rule.








Anyone from Amazon able to provide a roadmap for supporting multiple FIDO security keys? Seems super important.


Lol, in the fullness of time, Control Tower will eventually align with best practices on AWS.















