A three-person agency with a normal AWS bill of $10 to $15 per month received a $14,000 charge in a single day after attackers extracted static access keys from an EC2 instance and burned through Claude model invocations on Amazon Bedrock.
Tobias Schmidt, an AWS consultant, described the incident on LinkedIn: the team had experimented with a Bedrock chatbot using existing access keys, and two defaults amplified the damage. The keys carried Bedrock Full Access, and AWS had removed the model-access toggle in 2025, leaving all models enabled by default. Moreover, the application was designed to use Haiku, with an expected bill under $100.
It is not the first incident of its kind; at least a pattern is repeating across cloud cost forums. An AI agent or a leaked agent credential burns thousands of dollars before anyone notices, because cloud billing alerts lag roughly a day behind actual spend. Both incidents, each documented by the practitioners involved, show the same structural mismatch between autonomous spend velocity and guardrails designed for human-speed mistakes.
The most detailed case is the DN42 incident from May, documented by network engineer Lan Tian and discussed at length on Hacker News. An operator gave an autonomous agent full AWS access and a deadline to port-scan DN42, a hobbyist BGP network where most nodes run on small VPS instances. The agent decided the job required five m8g.12xlarge instances with 48 vCPUs and 22.5 Gbps of bandwidth each, plus load balancers and Lambda functions, to scan the address space "at 20 Gbps with redundancy and fail-over capacity." It then reapplied its CloudFormation template repeatedly, duplicating the stack. The operator noticed a day later when their card was charged $6,531.30. AWS later negotiated the bill down to $1,894. The workload, by community estimates, would have fit on a $5-per-month VPS.
The common thread across both incidents: detection came from the credit card, not from AWS. Billing data in Cost Explorer lags up to 24 hours. AWS Budgets evaluates against that delayed data, so budget actions fire after the money is spent. Magnus Eriksson, a cloud architect and former AWS employee, put it bluntly in the comments on Schmidt's post:
Sadly AWS budget controls are not very efficient as billing is delayed 24h. True customer obsession should make AWS turn billing at least "semi realtime".
Igor Zhdanko, a solutions architect at Regula, explained why GenAI credentials have become a distinct class of target:
I keep seeing more incidents like this around Bedrock. With traditional cloud resources, attackers still need infrastructure they can monetize. With GenAI APIs, stolen credentials can turn into thousands of dollars in usage almost instantly. IAM roles, least privilege, model restrictions, budgets, and a kill switch should be standard from day one.
That distinction reframes the threat model. A stolen key used for crypto mining requires the attacker to provision instances, evade detection, and convert compute into currency over days. A stolen key with Bedrock access converts directly into resellable model invocations at API speed, with no infrastructure for the attacker to run and no lag between theft and monetization.
Schmidt's follow-up analysis argues the failures were preventable with existing controls applied before autonomy, not after:
SCPs that block expensive instance families in member accounts. An agent that can only launch small instances caps its own damage. CloudTrail with alerts on RunInstances for large instance types. You know within minutes, not when the card gets charged. AWS Budgets and Cost Anomaly Detection as the safety net when everything else fails.
His summary of the moment:
We are all handing agents cloud credentials right now. Guardrails first, autonomy second.
Even that layered approach has a timing gap that another practitioner on the thread quantified: budget actions evaluate on AWS's budget refresh cadence, so a key-theft burst can run for hours before an SCP lands, which at Claude rates on Bedrock covers the entire $14,000. Per-service anomaly detection scoped to Bedrock, rather than the account total, shortens that window. The deeper inversion: CloudTrail records a RunInstances or InvokeModel call within minutes, while its cost appears in billing data a day later. Teams that alert on provisioning events catch runaway agents at action time; teams that alert on spend catch them at invoice time. For an agent provisioning in a loop, the difference is the entire bill.
The identity patterns matter as much as the alerting. The $14K incident traces to static access keys on an EC2 instance, a pattern IAM roles have made unnecessary for over a decade. The DN42 incident traces to a single credential with unrestricted provisioning rights and no spend scope. Scoped credentials, short-lived tokens, and SCPs that deny expensive instance families to agent-operated accounts turn a five-figure incident into a blocked API call.
For teams giving agents cloud credentials today, the starting architecture follows from the two failure modes. Run each agent workload in a dedicated member account, so an SCP can deny large instance families and unused model families without affecting anything else. Wire CloudTrail event alerting on RunInstances, InvokeModel, and CreateStack before issuing the first credential, because that alerting works at action time while every budget-based control works at invoice time. Use IAM roles or short-lived tokens exclusively, and scope Bedrock access to the specific models the application calls rather than accepting the full-access default. None of this requires new tooling; both incidents would have ended as blocked API calls under controls that have existed for years.
The DN42 operator's own takeaway, according to Lan Tian's chat logs, was that "next time a better agent is needed." The DN42 community's response on IRC was to ban the agent and adopt a new rule: only real people can participate. Between those two reactions sits the actual work: cloud providers closing the gap between spend and visibility, and platform teams treating agent credentials with the same blast-radius thinking they apply to production deploy keys.