Why do small teams keep getting wrecked by AWS bills?
Saw someone on Reddit lose $86k from a compromised AWS account. I've heard way too many stories like this — misconfigured IAM, tokens in repos, no billing alerts...
If you're on a small team, how are you actually protecting yourself from stuff like this? Is there a sane setup that works without needing a full-time AWS security person?
Gotta look at your monthly bill every day.
I've been wondering about the question of "where did the web go?" and how even technically savvy people have given up on blogging for behavioral sinks like Medium.
Part of the story is that $50 a month dedis have given way to the "free" plan on AWS or a system that costs $10 a month to run if you're not successful but has no upper bound on the bills if you are successful. So if you make a blog you are praying every night that you don't make it to the front of Hacker News and that you don't build up a large following because boy those egress charges will add up. People are furious now that they are getting eaten alive by the egress costs run up by AI bots but 10 years ago I was thinking "Boy Bing crawls my site twice as hard as Google and sends 5% of the traffic and Chinese webcrawlers crawl my site 5x harder than Google and send me no detectable traffic."
One of the best things you can do is enable AWS’s free Cost Anomaly Detector. I like getting pinged when something substantial changes.
https://old.reddit.com/r/aws/comments/1jupura/just_got_compr... - this post you're referring to?
I like that you linked old reddit. Using the normal domain makes the site utterly unusable.
Because AWS doesn't have out-of-the-box costs killswitches.
Best way to defeat competition is to make sure they never get out of the gate
We’re not since cost controls are secondary to building features.
They look at code on stackoverflow and the web that initializes the SDK resources that have you explicitly put the access key and secret key in code.
For instance, the correct way to initialize the s3 client in Python is
The SDK will automatically get the credentials that are configured locally within your environment or the IAM role attached to your Lambda, EC2 instance, Docker (ECS, EKS) container runner etc.Your access keys never need to be part of your repository.