1. Brajesh Singh

    Feeling sorry about Ryan.
    Hope that he gets the concession and is not required to pay this extra.

    I am sure, It is harsh way to discover the problem but will help everyone around to take such things more seriously.


  2. Scott Bolinger

    That sucks, but it’s an important lesson. Along with keeping them hidden, you should use IAM credentials that have specific access policies instead of your root credentials. You can specifically state what they have access to, for example you can restrict access to read only, or to a specific service like S3. At least the damage can be contained, in this instance spinning up servers on EC2 would not have been possible.

    IAM info: http://docs.aws.amazon.com/IAM/latest/UserGuide/PoliciesOverview.html


  3. Troy Glancy

    AWS should setup keys for each service. Example if you only want a CDN you get X key, and if you want EC2 you get X2 key. That way if someone gets your key lets say from a plugin they will only have access to that part of AWS.


  4. Troy Glancy

    Just saw Scotts comment above. Apparently you can setup for each service.


  5. Chris Wallace

    I’ve actually spun up RDS instances as a test, thinking that it wouldn’t bill me unless they were actually being used. Then I got a bill for around $3,000. No warnings, no notifications. Shut that down real quick.


  6. tudoutou

    Remind me an access key created for wp-ses plugin.
    I don’t know why the plugin need access key, it should only need SMTP credentials.
    Anyway I immediately deleted the key after reading this.


  7. Michael

    Never use root access keys in your website, that’s a bad idea. If a plugin requires too much permission, I simply don’t use it. Only use IAM credentials with minimal permissions, that’s what the policies are for.

    Very expensive mistake,Too bad with AWS you only get billing alerts but no complete shutdown when reaching a quota.


  8. iamyuda

    Since this all thing started as a good will gesture for the open-source community – I am sure many will be willing – me included – to support a donation campaign to help you close the bill, assuming Amazon will not do the appropriate move themselves.


  9. Ryan Hellyer

    Amazon wiped US$5,980.70 off my bill this evening :) So the problem is solved.

    Thanks Amazon :)


  10. Marco Ragogna

    This is a scary story. I never used AWS but isn’t possible setup a credit limit to avoid this problems?


    • Ryan Hellyer

      No. AWS does not offer that service unfortunately. This makes me want to change to another service, but I’m not sure what other service I would use. AWS has some really good tools, in particular S3cmd for the CLI.

      Does anyone have any solutions for alternatives to using Amazon S3?

      I also use Cloudfront at the moment, but there are lots of CDN alternatives out there, and I’m about to switch (for entirely unrelated reasons) to hosting all my own files anyway.


      • Alfonso

        Ryan: Maybe you may need to look for a honest webhosting provider and place in front of it a CDN (choose whatever you may want/desire). My own choosing is to get Cloudflare in front of my host (PRO account). Never regret from choosing them.

        Regarding S3 I use it just for storing the backups of several sites that I host on my machine. Every site is tar/bzipped2 before sending it to S3 via cron job daily. After being 7 days on RRS storage, they went to Glacier for up to 90 days where they expire. Easy peasy to do IAM credentials are safe on the system, not on WP nor nothing exposed to a web server.


        • Ryan Hellyer

          I am not interested in serving my content via a CDN. I want to serve it from my own server.

          I have a similar setup for handling backups to S3. The plugin which required me to add my AWS credentials to wp-config.php was for instantaneous backups, not for occasional backups.


Comments are closed.

%d bloggers like this: