S3 - How do we protect ourselves from a malicious user refreshing a page a million times in order to rack up an AWS S3 Bill?


Hello! AWS newby here. I just finished implementing file uploads to S3 via django-storages to allow users to upload images for their written blog posts. I just realized that we have to pay for every get request on an object. This made me realize that a malicious user could just run a script, or heck put an "object" (lame pun) on top of the F5 key to fresh like a billion times. Is there a way to safeguard against these scenarios by setting up protective measures, such as limiting requests to a particular object to 5 per hour per IP, or even better, establishing a monthly spending cap (e.g., $100) that, if exceeded, would automatically disable any and all requests?

asked 10 months ago286 views
2 Answers

Certainly! Protecting your AWS resources from potential abuse is crucial. Here are some strategies you can employ to safeguard your S3 resources:

AWS Budgets:

  • You can set up AWS Budgets to alert you when your estimated charges exceed your predefined thresholds. While it won't automatically disable requests, it will notify you so you can take action.
  • Navigate to the AWS Budgets Dashboard and create a budget for your S3 service. Set up alerts to notify you when your usage or costs exceed the thresholds you've set.

CloudFront with WAF:

  • Instead of serving your S3 objects directly, use Amazon CloudFront to distribute the content.
  • With CloudFront, you can integrate AWS WAF (Web Application Firewall) which allows you to create rules to block or allow requests based on certain conditions like IP addresses, HTTP headers, or request rates.
  • Using AWS WAF, you can set up rate-based rules to block IP addresses that exceed a certain number of requests in a 5-minute window.

S3 Bucket Policies:

  • You can set up bucket policies to restrict access based on certain conditions. However, note that S3 bucket policies don't support rate-limiting based on IP. They can be used to restrict access based on other conditions like the referrer header.

Pre-Signed URLs:

  • Instead of making your objects publicly accessible, use pre-signed URLs. These are temporary URLs that provide access to an S3 object for a limited time. This way, even if someone tries to refresh multiple times, the URL will expire after a certain period.

Monitoring with CloudWatch:

  • Use Amazon CloudWatch to monitor your S3 request metrics. Set up alarms to notify you when there's an unusual spike in GET requests or other suspicious activities.

Educate and Inform Users:

  • Sometimes, users might not be aware of the costs associated with excessive requests. Consider adding a note or tooltip in your application to inform users about the potential costs and ask them to avoid unnecessary refreshes.


  • Implement caching mechanisms, such as using the Cache-Control header, to reduce the number of requests to S3. This way, repeated requests can be served from the cache rather than hitting S3 directly.

Remember, while these strategies can help mitigate the risk, it's essential to monitor your AWS usage and costs regularly. AWS provides various tools and services to help you keep track of your spending and usage, so make sure to leverage them to avoid unexpected charges.

profile picture
answered 10 months ago
profile picture
reviewed 10 months ago


AWS Web Application Firewall and AWS Shied are the solutions that you want to use for this purpose:

as the attack that you present is close in spirit to a DDoS attack.

See those blog posts about implementation for your use case:

  1. https://aws.amazon.com/blogs/architecture/mitigating-ddos-with-data-science-using-aws-shield-advanced-and-aws-waf/
  2. https://aws.amazon.com/blogs/security/using-aws-shield-advanced-protection-groups-to-improve-ddos-detection-and-mitigation/



profile pictureAWS
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions