Serverless Horrors
238 comments
·September 7, 2025acoustics
cm2187
How about spending caps / circuit breakers? Doesn't seem an unsolveable problem to me.
herpdyderp
The solution is simple: budget caps.
mlhpdx
Is it simple? So what happens when you hit the cap, does AWS delete the resources that are incurring the cost and destroy your app?
Imagine the horror stories on Hacker News that would generate.
estimator7292
I mean, would you rather have a $10k build or have your server forcefully shut down after you hit $1k in three days?
One of those things is more important to different types of business. In some situations, any downtime at all is worth thousands per hour. In others, the service staying online is only worth hundreds of dollars a week.
So yes, the solution is as simple as giving the user hard spend caps that they can configure. I'd also set the default limits low for new accounts with a giant, obnoxious, flashing red popover that you cannot dismiss until you configure your limits.
However, this would generate less profit for Amazon et al. They have certainly run this calculation and decided they'd earn more money from careless businesses than they'd gain in goodwill. And we all know that goodwill has zero value to companies at FAANG scale. There's absolutely no chance that they haven't considered this. It's partially implemented and an incredibly obvious solution that everyone has been begging for since cloud computing became a thing. The only reason they haven't implemented this is purely greed and malice.
tannedNerd
Or simply returns 503? Why would you go directly to destroying things??
clvx
Yes, that’s exactly the expected behavior. It can alert if it’s closed to threshold. Very straightforward from my point of view.
zorked
Stop accepting requests like has been the case since the beginning of time?
ndsipa_pomu
Surely that's the fault of the purchaser setting the cap too low.
Maybe rather than completely stopping the service, it'd be better to rate limit the service when approaching/reaching the cap.
phoenixhaber
When I was learning to program through a bootcamp I spun up an elastic beanstalk instance that was free but required a credit card to prove your identity. No problem that makes sense - it's an easy way to prove authentication as a bot can't spam a credit card (or else it would be financial fraud and most likely a felony).
Amazon then charged me one hundred thousand dollars as the server was hit by bot spam. I had them refund the bill (as in how am I going to pay it?) but to this day I've hated Amazon with a passion and if I ever had to use cloud computing I'd use anyone else for that very reason. The entire service with it's horrifically complicated click through dashboard (but you can get a certification! It's so complicated they invented a fake degree for it!) just to confuse the customer into losing money.
I still blame them for missing an opportunity to be good corporate citizens and fight bot spam by using credit cards as auth. But if I go to the grocery store I can use a credit card to swipe, insert, chip or palm read (this is now in fact a thing) to buy a cookie. As opposed to using financial technology for anything useful.
VectorLock
Amazon refunded you and you hate them for it?
I think one of the reasons I appreciate AWS so much is that any time there has been snafu that led to a huge bill like this they've made it pretty painless to get a refund- just like you experienced.
Vvector
If it is a "free tier", Amazon should halt the application when it exceeds quota. Moving the account to a paid tier and charging $100k is not the right thing to do.
christophilus
I agree, but I could also see how someone would complain about that: “Our e-commerce site was taken down by Amazon right on our biggest day of the year. They should have just moved us up to the next tier.”
cperciva
Good news! This is exactly how the free tier works now.
tekno45
stop putting stuff on the internet you don't understand.
cjbgkagh
Amazon is currently permissive which splits opposition, this won’t always be the case, they will tighten the screws eventually as they have done in the past in other areas. Amazon because it’s so broadly used undermines the utility of chargebacks, you can do it but it’ll be a real hassle to not be able to use Amazon for shopping. A lot of people will just eat the costs, is Amazon knows this they will force the situation more often because it’ll make them more money.
msh
Amazon is irresponsible when they let people sign up for a unlimited credit.
At minimum they should provide hard billing caps.
tekno45
putting stuff on the internet is dangerous. if you're not prepared to secure public endpoints stop creating them.
psychoslave
Once I've been kidnapped by a guy who also happen to run a security business. After a bit of discussion, I was about to convince some of his sbire to release me without paying the ransom. I'm so glad they did accept that, and I never fail to use and recommend the services of the security business now.
LeifCarrotson
As the saying goes, when you owe the bank $100 you've got a problem, when you owe the bank $100k the bank has a problem...
On serverless, I can enter numbers in a calculator and guess that running my little toy demo app on AWS will cost between $1 and $100. Getting hit with a huge $1000 bill and a refusal to refund the charges (and revocation of my Prime account and a lifetime ban from AWS and cancellation of any other services I might otherwise run there) would be totally possible, but I have zero control over that. Expecting to go on social media begging for a refund is not a plan, it's evidence of a broken system - kinda like those "heartwarming" posts about poor people starting a GoFundMe so their child can afford cancer treatment. No, that's awful, can we just be sensible instead?
If a server would have cost me $20 at a VPS provider to keep a machine online 24/7 that was at 1% utilization most of the time and was terribly laggy or crashed when it went viral, that's what $20 buys you.
But, you say, analysis of acttual traffic says that serverless would only cost me $10 including scaling for the spike, in which case that's a fantastic deal. Half price! Or maybe it would be $100, 5x the price. I have no way of knowing in advance.
It's just not worth the risk.
dismalaf
If it's a free tier there should never have been a charge in the first place...
JJMcJ
This is an example of why cloud hosting is so scary.
Yes, Amazon, and I assume Azure and Google's cloud and others, "usually" refund the money.
But I don't want to be forced into bankruptcy because my five visitor a week demo project suddenly becomes the target of a DDOS for no reason at all and the hosting company decides this isn't a "usually" so please send the wire transfer.
tetromino_
If you sign up for electrical service for your house, and your shithead neighbor taps your line to power his array of grow lamps and crypto mining rigs, the power company will happily charge you thousands of dollars, and you will need a police report and traverse many layers of customer service hell to get a refund. If you sign up for water service and a tree root cracks your pipe, the water company will happily charge you thousands of dollars for the leaked water, and will then proceed to mandate that you to fix the broken pipe at your own expense for a couple tens of thousands more; and yes, that may well bankrupt you, water company don't care. So why do you expect different treatment from a computing utility provider?
pixl97
You're right, but even if I cut the water pipe right after the meter and run it for a month I might get a few thousand dollar charge.
You can ring up tens of thousands+ overnight with AWS. The scale of potential damages is nowhere even close.
psychoslave
I don't know in US, but having limits on how much electricity a house is able to take from the gride is absolutely something in some countries out there.
ndsipa_pomu
The first instance is difficult to fix as crime can often involve substantial losses to people and often there's no route to getting a refund.
The broken water pipe should be covered by buildings insurance, but I can imagine it not being covered by some policies. Luckily a broken water pipe is likely not as expensive as not having e.g. third party liability protection if part of your roof falls off and hits someone.
Bluecobra
When I am playing around in the cloud I am super paranoid about charges, so I end up locking the ACLs to only permit traffic to my home IP. It’s too bad that they don’t have a better built in way of making sandbox labs. When I was doing cloud training with A Cloud Guru, it would generate a whole global AWS instance that would only last for 30 minutes.
psychoslave
Why don't you run locally?
JackSlateur
They have billing limits
https://docs.aws.amazon.com/cost-management/latest/userguide...
appreciatorBus
These aren’t limits though, they are just budget notifications.
What would be helpful, would be if when you set up your account there was a default limit – as in an actual limit, where all projects stop working once you go over it - of some sane amount like $5 or $50 or even $500.
I have a handful of toy projects on AWS and Google cloud. On both I have budgets set up at $1 and $10, with notifications at 10% 50% and 90%. It’s great, but it’s not a limit. I can still get screwed if somehow, my projects become targets, and I don’t see the emails immediately or aren’t able to act on them immediately.
It blows my mind there’s no way I can just say, “there’s no conceivable outcome where I would want to spend more than $10 or more than $100 or whatever so please just cut me off as soon as I get anywhere close to that.”
The only conclusion I can come to is that these services are simply not made for small experimental projects, yet I also don’t know any other way to learn the services except by setting up toy projects, and thus exposing yourself to ruinous liability.
agwa
Those are not in fact limits:
> There can be a delay between when you incur a charge and when you receive a notification from AWS Budgets for the charge. This is due to a delay between when an AWS resource is used and when that resource usage is billed. You might incur additional costs or usage that exceed your budget notification threshold before AWS Budgets can notify you, and your actual costs or usage may continue to increase or decrease after you receive the notification.
Foobar8568
As far as I know, neither Google, Amazon or Azure have a budget limit, only alerts.
This is a reason why I am not only clueless of anything related to cloud infrastructure unless it's stuff I am doing on the job, nor I am willing to build anything on these stacks.
And while I guess I have less than 10 products build with these techs, I am appeal by the overall reliability of the services.
Oh lastly, for Azure, in different European regions you can't instance resources, you need to go through your account representative who asks authorization from the US. So much for now having to deal with infrastructure pain. It's just a joke.
master_crab
As others have said these are not limits, just notifications. You can’t actually create a limit unless you self create one using another AWS service (surprise) like lambda to read in the reports and shut things down.
And as others have also mentioned, the reports have a delay. In many cases it’s several hours. But worst case, your CURs (Cost usage reports) don’t really reflect reality for up to 24 hours after the fact.
ldoughty
I work in this space regularly. There can be a delay of 2-3 days from the event to charge. Seems some services report faster than others. But this means by the time you get a billing alert it has been ongoing for hours if not days.
JackSlateur
To all of those who say "this is not limit, only notifications": yes, notifications that can trigger whatever you want, including a shutdown of whatever you have
Is this a perfect solution: no Is this still a solution: yes
Loudergood
"Limits" like this are how I woke up one Sunday morning in my college dorm with a $7k bill from dreamhost.
meepmorp
To paraphrase Rainer Wolfcastle - the budgets do nothing!
You get a warning. There's no service cutoffs or hard limits on spending.
jcims
I've got a $25k bill right now because I had enabled data-plane audit logging on an sqs queue that about a year ago I had wired to receive a real-time feed of audit events. So for every net-new audit event there would be an infinite loop of write events to follow. My average daily bill is about $2 on that account and has been for nearly ten years. It suddenly ballooned to $3k/day and zero warning or intervention from AWS.
alkonaut
I would never use a cloud service that doesn't let me set a hard cap for any service. Not just an alert. A hard cap.
mikeocool
> I had them refund the bill (as in how am I going to pay it?) but to this day I've hated Amazon with a passion
They refunded you $100k with few questions asked, and you hate them for it?
I’ve made a few expensive mistakes on AWS that were entirely my fault, and AWS has always refunded me for them.
I imagine if Amazon did implement “shut every down when I exceed my budget” there’d be a bunch of horror stories like “I got DDOSed and AWS shutdown all my EC2s and destroyed the data I accidentally wrote to ephemeral storage.”
randallsquared
> They refunded you $100k with few questions asked, and you hate them for it?
They exposed him to 100K of liability without any way to avoid it (other than to avoid AWS entirely), and then happened to blink, in this case, with no guarantee that it would happen again. If you don't happen to have a few hundred thousand liquid, suddenly getting a bill for 100K might well be a life-ruiningly stressful event.
0cf8612b2e1e
Given how complicated configuring AWS is, surely there could be some middle ground between stop all running services and delete every byte of data. The former is surely what the typical low spend account would desire.
franktankbank
In what world is that not the preferable solution? Want to know if your shit is actually robust just set your cap and ddos yourself as the first test of you architecture.
VectorLock
Yes, a sign of resilient architecture is to shut down when it encounters some stress.
clickety_clack
I’ve never trusted AWS with personal work for exactly this reason. If I want to spend $20 on a personal project I should be able to put a cap on that directly, not wake up to a $100k bill and go through the stress of hoping it might be forgiven.
cjbgkagh
I use AWS out of expedience but I hate the no-hard-cap experience and this is my primary reason for shifting (WIP) to self hosting. Plus self hosting is cheaper for me anyway. In general I would like a legally forced liability limit on unbounded subscription services, perhaps a list maintained at the credit card level. If the supplier doesn’t like the limit they can stop supplying. The surprise $100K liabilities are pure insanity.
wiether
> When I was learning to program through a bootcamp I spun up an elastic beanstalk instance
Didn't the bootcamp told you to, at least, setup a budget alert?
I'm not trying to reduce AWS' responsibility here, but if a teaching program tells you to use AWS but doesn't teach you how to use it correctly, you should question both AWS and the program's methods.
joshstrange
I thought this would be about the horrors of hosting/developing/debugging on “Serverless” but it’s about pricing over-runs. I scrolled aimlessly through the site ignoring most posts (bandwidth usage bills aren’t super interesting) but I did see this one:
https://medium.com/@maciej.pocwierz/how-an-empty-s3-bucket-c...
About how you make unauth’d API calls to an s3 bucket you don’t own to run up the costs. That was a new one for me.
zahlman
> Imagine you create an empty, private AWS S3 bucket in a region of your preference. [...] As it turns out, one of the popular open-source tools had a default configuration to store their backups in S3. And, as a placeholder for a bucket name, they used… the same name that I used for my bucket.
What are the odds?
sherburt3
I believe they changed that shortly after that blog post went viral: https://aws.amazon.com/about-aws/whats-new/2024/08/amazon-s3...
jsheard
You have to wonder how many people quietly got burned by that in the 18 years between S3 launching and that viral post finally prompting a response.
Dunedan
I raised that exact same issue to AWS in ~2015 and even though we had an Enterprise support plan, AWS response was basically: well, you problem.
We then ended up deleting the S3 bucket entirely, as that appeared to be the only way to get rid of the charges, only for AWS to come back to use a few weeks later telling us there are charges for an S3 bucket we previously owned. After explaining to them (again) that this way our only option to get rid of the charges, we never heard back.
franktankbank
Seems an interesting oversight. I can just imagine the roundtable, uhh guys who do we charge for 403? Who can we charge? But what if people hit random buckets as an attack? Great!
pooper
> Seems an interesting oversight. I can just imagine the roundtable, uhh guys who do we charge for 403? Who can we charge? But what if people hit random buckets as an attack? Great!
It is amazing, isn't it? Something starts as an oversight but by the time it reaches down to customer support, it becomes an edict from above as it is "expected behavior".
> AWS was kind enough to cancel my S3 bill. However, they emphasized that this was done as an exception.
The stench of this bovine excrement is so strong that it transcends space time somehow.
thousand_bats
> I thought this would be about the horrors of hosting/developing/debugging on “Serverless” but it’s about pricing over-runs.
Agreed about that. I was hired onto a team that inherited a large AWS Lambda backend and the opacity of the underlying platform (which is the value proposition of serverless!) has made it very painful when the going gets tough and you find bugs in your system down close to that layer (in our case, intermittent socket hangups trying to connect to the secrets extension). And since your local testing rig looks almost nothing like the deployed environment...
I have some toy stuff at home running on Google Cloud Functions and it works fine (and scale-to-zero is pretty handy for hiding in the free tier). But I struggle to imagine a scenario in a professional setting where I wouldn't prefer to just put an HTTP server/queue consumer in a container on ECS.
fishmicrowaver
I've had similar experiences with Azures services. Black boxes impossible to troubleshoot. Very unexpected behavior people aren't necessarily aware of when they initially spin these things up. For anything important I just accept the pain of deploying to kubernetes. Developers actually wind up preferring it in most cases with flux and devsoace.
Ekaros
I recently had customer who had smart idea to protect Container Registry with firewall... Breaking pretty much everything in process. Now it kinda works after days of punching enough holes in... But I still have no idea where does something like Container registry pull stuff from, or App Service...
And does some of their suggested solutions actually work or not...
mikepurvis
Is that what people do is test/develop primarily with local mocks of the services? I assumed it was more like you deploy mini copies of the app to individual instances namespaced to developer or feature branch, so everyone is working on something that actually fairly closely approximates prod just without the loading characteristics and btw you have to be online so no working on an airplane.
icedchai
There are many paths. Worst case, I've witnessed developers editing Lambda code in the AWS console because they had no way to recreate the environment locally.
If you can't run locally, productivity drops like a rock. Each "cloud deploy" wastes tons of time.
tonkinai
Mocks usually don’t line up with how things run in prod. Most teams just make small branch or dev environments, or test in staging. Once you hit odd bugs, serverless stops feeling simple and just turns into a headache.
catlover76
[dead]
icedchai
Same, I was hoping for tales of woe and cloud lock-in, of being forced to use Lambda and Dynamo for something that could easily run on a $20/month VPS with sqlite.
kijin
The webflow one at the top has an interesting detail about them not allowing you to offload images to a cheaper service. Which you can probably work around by using a different domain.
siva7
How to destroy your competition. Love it. Also why i dislike AWS. Zero interest to protect their SMB customers from surprise bills. Azure isn't much better but at least they got a few more protections in place.
null
zahlman
I don't understand why it should be called "serverless" when using cloud infrastructure. Fundamentally you're still creating software following a client-server model, and expecting a server to run somewhere so that your users' clients work.
To me, "serverless" is when the end user downloads the software, and thereafter does not require an Internet connection to use it. Or at the very least, if the software uses an Internet connection, it's not to send data to a specific place, under the developer's control, for the purpose of making the software system function as advertised.
mahirsaid
Seem likes there are mistakes that were made on behalf of the users. The attackers found these mistakes and took advantage of them. i don't think "severless" is the problem.
caboteria
The real serverless horror isn't the occasional mistake that leads to a single huge bill, it's the monthly creep. It's so easy to spin up a resource and leave it running. It's just a few bucks, right?
I worked for a small venture-funded "cloud-first" company and our AWS bill was a sawtooth waveform. Every month the bill would creep up by a thousand bucks or so, until it hit $20k at which point the COO would notice and then it would be all hands on deck until we got the bill under $10k or so. Rinse and repeat but over a few years I'm sure we wasted more money than many of the examples on serverlesshorrors.com, just a few $k at a time instead of one lump.
TheSoftwareGuy
Sounds like your organization isn’t learning from these periods of high bill. What lead to the bill creeping up, and what mechanisms could be put in place to prevent them in the first place?
jppope
this is really the AWS business model - you can call it the "planet fitness" model if you prefer. Really easy to sign up and spend money, hard to conveniently stop paying the money.
hvb2
You don't think this happens on prem? Servers running an application that is no longer used?
Sure they're probably VMs but their cost isn't 0 either
sgarland
With that model, your cost doesn't change, though. When/if you find you need more resources, you can (if you haven't been doing so) audit existing applications to clear out cruft before you purchase more hardware.
remus
That's the equivalent of saying "just audit your cloud usage and remove stuff that's no longer used".
petralithic
This is some good marketing for Coolify, which the author makes as an open source platform as a service. I prefer Dokploy these days though, since it seems to be less buggy, as Coolify seems to have such bugs due to being on PHP.
dakiol
> I had cloudflare in front of my stuff. Hacker found an uncached object and hit it 100M+ times. I stopped that and then they found my origin bucket and hit that directly.
Pardon my ignorance, but isn’t that something that can happen to anyone? Uncached objects are not something as serious as leaving port 22 open with a weak password (or is it?). Also, aren’t S3 resources (like images) public so that anyone can hit them any times they want?
solatic
No. Your buckets should be private, with a security rule that they can only be accessed by your CDN provider, precisely to force the CDN to be used.
rwmj
Why isn't that the default?
I'm glad I use a Hetzner VPS. I pay about EUR 5 monthly, and never have to worry about unexpected bills.
kdps
Don't they charge for every TB exceeding the included limit? (website says "For each additional TB, we charge € 1.19 in the EU and US, and € 8.81 in Singapore.")
wiether
Buckets are private by default.
And it's getting harder and harder to make them public because of people misconfiguring them and then going public against AWS when they discover the bill.
hvb2
Because just using a cdn without proper caching headers is just another service you're paying for without any savings.
The real question is if they considered caching and thus configured it appropriately. If you don't, you're telling everyone you want every request to go to origin
graemep
Because not all uses for buckets fit that.
Buckets are used for backups, user uploads, and lots of things other than distributing files publicly.
gdbsjjdn
This story is giving "I leave OWASP top 10 vulns in my code because hacker mindset".
It's not that hard to configure access controls, they're probably cutting corners on other areas as well. I wouldn't trust anything this person is responsible for.
charcircuit
It's about rate limiting, not access controls. Without implementing limits your spend can go above what your budget is. Without cloud you hit natural rate limits of the hardware you are using to host.
philwelch
That might be the more general solution but in this context it is absolutely also an access control issue.
mschuster91
with "classic" hosting, your server goes down from being overloaded to the hoster shutting it off.
with AWS, you wake up to a 6 figures bill.
gonzo41
No, s3 objects should always be private and then have a cloudfront proxy in front of them at the least. You should always have people hitting a cache for things like images.
the__alchemist
"Serverless" is a an Orwellian name for a server-based system!
AndrewDucker
"Serverless" means you don't have to configure the servers, or know what servers, where, are running your code.
"Here's some code, make sure it runs once an hour, I don't care where."
Biganon
"There's no cloud; it's just someone else's computer"
Spivak
But your so called "no-code" system runs on code. Checkmate atheists.
There becomes a point where being mad that the specific flavor of PaaS termed serverless achtually has severs is just finding a thing to be mad at.
StevenWaterman
and your wireless modem has wires
magnusm
Thats true!
jppope
This is a weird take on an incredibly useful paradigm (serverless). One the one side, there are obviously precautions that all of these users could have taken to avoid these charges on the other hand its totally common to spin up a thing and forget about it or not do your due diligence. I totally feel for the people who have been hit with these chargers.
At the end of the day though the whole think feels like a carpenter shooting themselves in the foot with a nail gun then insisting that hammers are the only way to do things.
Havoc
Putting any sort of pay per use product onto the open internet has always struck me as insane. Especially with scaling enabled.
At least stick a rate limited product in front of it to control the bleed. (And check whether the rate limit product is in itself pay per use...GCP looking at you)
skippyboxedhero
Hetzner, 16TBx2 HDD, 1TBx2 SDD, 64GB RAM, 20TB free bandwidth, $70/month.
I used 1TB of traffic on a micro instance and it cost me $150 (iirc). Doesn't have to be this way.
The assignment of blame for misconfigured cloud infra or DOS attacks is so interesting to me. There don't seem to be many principles at play, it's all fluid and contingent.
Customers demand frictionless tools for automatically spinning up a bunch of real-world hardware. If you put this in the hands of inexperienced people, they will mess up and end up with huge bills, and you take a reputational hit for demanding thousands of dollars from the little guy. If you decide to vet potential customers ahead of time to make sure they're not so incompetent, then you get a reputation as a gatekeeper with no respect for the little guy who's just trying to hustle and build.
I always enjoy playing at the boundaries in these thought experiments. If I run up a surprise $10k bill, how do we determine what I "really should owe" in some cosmic sense? Does it matter if I misconfigured something? What if my code was really bad, and I could have accomplished the same things with 10% of the spend?
Does it matter who the provider is, or should that not matter to the customer in terms of making things right? For example, do you get to demand payment on my $10k surprise bill because you are a small team selling me a PDF generation API, even if you would ask AWS to waive your own $10k mistake?