We use CloudFront and we deny public users the ability to access S3 directly. You can even use Signed URLs with CloudFront if you like. I'm not sure I'd evere feel comfortable letting the public at large hit my S3 endpoints.
As it should be, but recently on HN it was posted that AWS will charge you for any unauthorized PUT request to your S3 buckets. Meaning even 4xx errors will rack up a charge.
So your S3 bucket names must be hidden passphrases now that stand between an attacker and your budget.
Also, the cost of doing this per request is insane compared to either absorbing or rate-limiting the bandwith the requests take.
Cloud computing charges you by the request/byte/cpu cycle. Servers do not have this issue.
Also, is it simply not possible to rate limit this on a per IP basis? Make client only able to do X requests per second from each unique IP/network flow.
>Cloud computing charges you by the request/byte/cpu cycle. Servers do not have this issue.
Sure they do. Processing requests takes bandwidth, CPU, memory, disk I/O
>Also, is it simply not possible to rate limit this on a per IP basis
It's largely useless. You'll block any legitimate bits/programs, people on CGNAT, people on corporate networks & bad actors will use botnets, residential IPs, VPNs to gain access to thousands or millions of unique IPs
