As somebody who deals with AWS professionally on a daily basis, I will 100% admit that it can be confusing for people to figure out pricing and scale. I have to talk with engineers every week about design decisions and their cost impacts, and the implications of the things they want to run, and it's clear that AWS doesn't give enough guidance in the UI or documentation structured in a way that a layperson could find what they're looking for quickly and easily for that information.
That said? This article rubs me the wrong way. The suggestion that this problem is caused by "dark patterns" and Amazon being misleading about "pay as you go" screams FUD to me. The screenshots provided right in the article clearly show that what was being done wasn't eligible for free tier. And not understanding that launching a resource, regardless of whether or not you're interacting with it, is consuming the service which launches the resource is a problem with the user, not the marketing. Yes, the author admits that they didn't scrutinize, but that doesn't excuse the position of the article that AWS is somehow doing this to intentionally bilk people.
So, let me get this straight:
- OP ignores the obvious "This does not fit the free tier" warnings when setting up their app.
- OP does not pay attention to any billing metrics or even bother to try and understand the pricing beforehand.
- OP gets hit with a $990 bill.
- Amazon gives all the money back, plus free credits.
- OP complains.
AWS should have kept their money and OP should've learned their lesson proper.
The author of the post also calls out that the mistake was his, despite the occasional muttering about "dark UI patterns."
I spend a lot of time in AWS, and I have trained myself to be extra careful about reading the fine print when using the UI exactly for the reason the author describes.
The author calling out his own stupid mistakes elevates him in my eyes, not the reverse. Honesty and recognition of wrongdoing in oneself are important traits.
The problem that I had AWS was that it felt hella confusing, flooding you with information about services they provide and their AWS-specific buzzwords, sort of drowning out a lot of the important info
I was playing around with some tutorial to learn something (probably something cool like programming your own robotic drone using functional erlang or whatever), pushed to github and went to sleep. Woke up a few short hours later and had lots of emails about the machines I was spinning up.
Checked and saw that my account had wracked up thousands of dollars overnight (I think 6-8 hours), and I started to shut down the machines.
I didn't get them all, there were more machines hidden, and the bills continued to pile up for another hour or two.
I contacted Amazon who shut it all down, and I reset my password.
Then I realized I had pushed my credentials to github (I should really put this under a pseudonym, but I was new to the whole thing and hadn't even looked into Amazon's authentication system. Obviously, billing credentials and sysadmin credentials should never be the same.) Someone had a scraper going that picked them up almost right away.
To Amazon's credit, they cancelled the charges within a few hours, and if memory serves the person investigating gave me a sympathetic but stern message.
I don't know who the credential-stealer was and what they were using it for, but I would guess crypto mining. I did some calculation at the time and I think they would have extracted about 1/3rd the value of my bill, but those were rough calculations.
Credentials on github is actually a fairly common cause for GDPR breach, not as common as people using auto-complete in their e-mail system, but it’s up there.
So you’re not as alone as you think, and these aren’t from people trying to learn something, it’s from big enterprise IT organisations.
I really don't think this is a UX problem. It was pretty clear that there were two options, production-ready and free. If you want to be picky, I suppose you can be upset that RDS is just a couple of VMs that you can't run other things on, or to question how much performance benefit a certain number of provisioned IOPS gives you. I don't think that's a dark pattern so much as "we don't know what your workload looks like, you don't know what your workload looks like, so just provision a bunch of IOPS and hopefully we never speak again."
I am less surprised that the mental model fell apart. I guess a lot of people think cloud resources are something that is efficiently shared (consider S3, you pay per byte you store, store 0 bytes, pay $0). But that's actually a rare case, most of the time you are provisioning something for your exclusive use; if you have a database server it costs you the same whether it's doing 10000 transactions per second or sitting completely idle and never logged into.
(Incidentally, the true sharing model used to be popular. Shared hosting with no isolation between tenants predated AWS by a decade. You got a chunk of a computer and shared Apache, MySQL, and PHP with hundreds of other randoms. Very cheap!)
It’s very helpful. You can still end up overspending but at least you get an email within a day letting you know what’s going on, which can solve a lot of the cost overruns by giving you a chance to act quickly and only get hit with 1/30 the monthly fee.
AWS Budgets is a much better tool for this. It’s simpler to set up, no futzing with CloudWatch, and also alerts you when forecasted usage will exceed a set amount, so you are much less likely to overspend.
Why is this an extra step instead of something AWS always does?
As both services and permissions multiply, the user experience of AWS is getting worse and worse. How would you even know to setup CloudWatch if it’s your first time using the service?
By default, AWS already automatically notifies you when you exceed 85% of your free tier usage. The author did not get these alerts because he ignored the multiple warnings that he was using services not included in the free tier. Because he wasn’t using the free tier, he didn’t get alerts for the free tier.
And even when not using free tier, one of the first things AWS tells you to do when creating an account is set up billing alerts.
I’ll be the first person to line up and say that the AWS console and UI is atrocious, especially for hobby devs. But this wasn’t that. The author completely ignored the multiple warnings, got himself into a pickle, got it resolved, and is still complaining about it.
For many businesses, the prospect of being cut off as a result of unexpected demand would be a serious liability, so therefore this would have to be an option -- but if it is an option, the customer has to select between it or an alternative, which is exactly the problem in this case.
Free tier is even more ideal for testing than this proposal, but the only way you can make options foolproof is to have no options.
My girlfriend's first "Free Tier" hosting build was $5200 for ingesting a single document on Kendra. After nearly a month of working with the service team she was able to get the bill removed (even the service team did not know how to delete the app). Its insane that an overage charge on a "Free tier" service can be the price of a used car or multiple months of rent.
Well their free tier is a list of free amounts you can consume of various services. Azure and GCP require you to switch to a Pay as you go scheme if you want to spend money. But AWS from day one you can consume things that cost money.
I'm sorry, but that's on him. Look at the first screenshot in "Default Configuration". It says so very clearly. Twice. He admitted he didn't care, this is what happens when you don't.
I wish AWS had hard spending limits.
Azure have one - you spend over the set limit(probably per billing account?) and your services are suspended. Already saved my from unexpected bill this month.
I like this option. It reminds me of a similar issue (which eventually got native AWS support): S3 permissions.
Today, there's a "Block Public Access" button which basically says "I solemnly swear that I don't want anyone outside of my account to see this S3 bucket. Please don't put this bucket on the public internet, even if I screw up my bucket policy and/or ACLs"
The option is off by default, but it's easy to find, simple to understand, and doesn't force powerusers to give up control.
Just setup billing alarms. Spend is reported continuously. These people surprised by end of month bills just aren’t paying attention to all the data AWS shows you on your spend.
If they hard shut people down then people would be posting “AWS turned off my services and took my site down blah blah blah”
What about having choice? Hard limit and alert? I’m been bite by overspending accidentally on Azure (only ~30€ but still) so the hard cap is a real reassuring thing.
Readit News
That said? This article rubs me the wrong way. The suggestion that this problem is caused by "dark patterns" and Amazon being misleading about "pay as you go" screams FUD to me. The screenshots provided right in the article clearly show that what was being done wasn't eligible for free tier. And not understanding that launching a resource, regardless of whether or not you're interacting with it, is consuming the service which launches the resource is a problem with the user, not the marketing. Yes, the author admits that they didn't scrutinize, but that doesn't excuse the position of the article that AWS is somehow doing this to intentionally bilk people.
https://blog.andrewray.me/content/images/2018/03/Screen-Shot...
Dark UI indeed.
https://blog.andrewray.me/content/images/2018/03/aws-rds-now...
AWS should have kept their money and OP should've learned their lesson proper.
I spend a lot of time in AWS, and I have trained myself to be extra careful about reading the fine print when using the UI exactly for the reason the author describes.
The author calling out his own stupid mistakes elevates him in my eyes, not the reverse. Honesty and recognition of wrongdoing in oneself are important traits.
Yeah I saw that like, and lolled. The author does indeed admits his/her mistakes, but proceeds to kinda blame it on AWS anyway.
It's like like saying "look I am no racist but <insert some very bad racist phrase here>".
I was playing around with some tutorial to learn something (probably something cool like programming your own robotic drone using functional erlang or whatever), pushed to github and went to sleep. Woke up a few short hours later and had lots of emails about the machines I was spinning up.
Checked and saw that my account had wracked up thousands of dollars overnight (I think 6-8 hours), and I started to shut down the machines.
I didn't get them all, there were more machines hidden, and the bills continued to pile up for another hour or two.
I contacted Amazon who shut it all down, and I reset my password.
Then I realized I had pushed my credentials to github (I should really put this under a pseudonym, but I was new to the whole thing and hadn't even looked into Amazon's authentication system. Obviously, billing credentials and sysadmin credentials should never be the same.) Someone had a scraper going that picked them up almost right away.
To Amazon's credit, they cancelled the charges within a few hours, and if memory serves the person investigating gave me a sympathetic but stern message.
I don't know who the credential-stealer was and what they were using it for, but I would guess crypto mining. I did some calculation at the time and I think they would have extracted about 1/3rd the value of my bill, but those were rough calculations.
So you’re not as alone as you think, and these aren’t from people trying to learn something, it’s from big enterprise IT organisations.
I am less surprised that the mental model fell apart. I guess a lot of people think cloud resources are something that is efficiently shared (consider S3, you pay per byte you store, store 0 bytes, pay $0). But that's actually a rare case, most of the time you are provisioning something for your exclusive use; if you have a database server it costs you the same whether it's doing 10000 transactions per second or sitting completely idle and never logged into.
(Incidentally, the true sharing model used to be popular. Shared hosting with no isolation between tenants predated AWS by a decade. You got a chunk of a computer and shared Apache, MySQL, and PHP with hundreds of other randoms. Very cheap!)
It’s very helpful. You can still end up overspending but at least you get an email within a day letting you know what’s going on, which can solve a lot of the cost overruns by giving you a chance to act quickly and only get hit with 1/30 the monthly fee.
https://aws.amazon.com/aws-cost-management/aws-budgets/
As both services and permissions multiply, the user experience of AWS is getting worse and worse. How would you even know to setup CloudWatch if it’s your first time using the service?
And even when not using free tier, one of the first things AWS tells you to do when creating an account is set up billing alerts.
I’ll be the first person to line up and say that the AWS console and UI is atrocious, especially for hobby devs. But this wasn’t that. The author completely ignored the multiple warnings, got himself into a pickle, got it resolved, and is still complaining about it.
Why is it an extra step to set a timer when you turn the oven on? Just set it to 60 minutes.
Why doesn't every toothbrush beep when you didn't brush long enough?
Why aren't the police keeping track of my children when they go outside?
Free tier is even more ideal for testing than this proposal, but the only way you can make options foolproof is to have no options.
They say you get 30 days of free usage but with a 5k a month cost, no way I'd risk it with my card. https://aws.amazon.com/kendra/pricing/
Today, there's a "Block Public Access" button which basically says "I solemnly swear that I don't want anyone outside of my account to see this S3 bucket. Please don't put this bucket on the public internet, even if I screw up my bucket policy and/or ACLs"
The option is off by default, but it's easy to find, simple to understand, and doesn't force powerusers to give up control.
[0] https://aws.amazon.com/blogs/aws/amazon-s3-block-public-acce...
If they hard shut people down then people would be posting “AWS turned off my services and took my site down blah blah blah”