[staticassertion]

Well, yeah, of course they're stuck with the bill. I feel like people think AWS is supposed to have infinite guard rails regardless of what the engineers using it do, like when people write code that infinite loops and it blows up their bill.

AWS gives money back in a lot of cases that I think they legitimately aren't responsible for.

I don't know that other cloud providers are going to do any better - an attacker who has your credentials and spins up 10's of thousands of dollars of infra will cost you thousands of dollars.

I'll certainly echo the advice for 2FA but, more importantly, use a strong, unique password.

[Gigachad]

I don't feel that some kind of quota management or predictable pricing is a significant ask. Most people or orgs do not need instant and infinite scaling. And would rather a 1 hour outage while they sort things out rather than a $100,000 bill for a minor bug.

[caslon]

Don't use a "cloud" vendor then? Just use a VPS vendor.

[toomanydoubts]

Should I just rewrite and host stuff like S3, RDS, ECS, Route53, Cloudwatch, Cloudfront, Lambda, etc. just because I want a spending limit?

Your argument makes no sense at all. You may feel like using production-ready hosted cloud services and still want a spending limit. Renting a single VPS might not solve all your issues.

[nurettin]

Some people just want to use aws because it is convenient. I could just set up a vps with rabbitmq, nexus and postgres, setup cron to post systemd status and use the provider's cdn offering to accomplish most of that. Probably doesn't suit your requirements.

[caslon]

The entire point of AWS is to avoid downtime at the expense of convenience and cash. There's no reason to use it if you're willing to sacrifice its reason for existence.

[cortesoft]

Why should a customer be stuck with the bill in the case of fraud? If someone fraudulently buys something in a store with my stolen credit card, I am not liable to pay for those purchases. Why would it be different for AWS services?

[46756e]

Right, but if someone buys say a shirt with your stolen card, it isn’t the store that picks up the bill. It’s the credit card company.

[cortesoft]

It depends on the merchant agreement, but merchants are often liable for the fraudulent charge, especially for online sales.

[hexedpackets]

Sometimes the merchant does pay for a fraudulent transaction, and sometimes the issuing bank does. The credit card networks never pay. It depends on several factors including whether the card was physically present and whether it was swiped or used a chip.

[Kranar]

This is just untrue though, my company has to eat the cost of fraudulent transactions and the burden is squarely on us to prevent it.

[poxrud]

If you’re using Stripe or PayPal then yes it is the store owner who would be “picking up the bill”.

[technion]

I'm surprised MFA isn't mandated by default. It is in Azure:

https://docs.microsoft.com/en-us/azure/active-directory/fund...

[zinekeller]

That link looks like MFA can be disabled but this chart shows otherwise (baseline versus opt-in enhanced): https://docs.microsoft.com/en-us/azure/active-directory/fund...

[Olreich]

Yep, buying goodwill is very effective.