> The surprising part here is lack of DDoS protection on your end or leaving a bucket public and exposed.

It doesn't take anything near DDoS. If you dare to put up a website that serves images from S3, and one guy on one normal connection decides to cause you problems, they can pull down a hundred terabytes in a month.

Is serving images from S3 a crazy use case? Even if you have signed and expiring URLs it's hard to avoid someone visiting your site every half hour and then using the URL over and over.

> AWS is just charging you for how much it served, it doesn't make sense to hold them to a fault here.

Even if it's not their fault, it's still an "inherent vulnerability of S3 pricing". But since they charge so much per byte with bad controls over it, I think it does make sense to hold them to a good chunk of fault.

I don't know about fair or unfair, but it's just a problem you don't have to worry about if there's no egress fees.

If you want to hire someone to walk your dog you probably won't put an ad in the New york times to a head hunter that you will pay by the hour with no oversight and it would be totally unfair to that head hunter when you don't want to pay them for the time of all those interviews. But an infinitely scalable service you somehow can't put immediately terminal limits on is somehow fine on the cloud.

AWS will also forgive mistakes or negligence based bills, in my case 3 times.