All cheat sheets
Storagecheat sheet

S3 Requester Pays

Shift S3 download bandwidth and request fees to the people pulling your data — the sustainable model for public datasets and automatic internal chargeback, at the cost of requiring authenticated requests.

Last reviewed: July 11, 2026

TL;DR: Requester Pays flips who pays for downloads: you keep paying for storage; whoever fetches the data pays the egress (~$0.09/GB) and GET fees on their AWS account. It's the difference between "we can keep sharing this dataset" and a quarterly bandwidth panic — and internally, it makes chargeback automatic. The hard constraint: requests must be authenticated (--request-payer requester), so anonymous public access stops working the moment you flip it.

The numbers

  • Owner still pays: storage, PUT/DELETE, replication, lifecycle, analytics
  • Requester pays: data transfer out + GET/SELECT request fees — usually the dominant cost of a hot dataset
  • Worked example from the source workflow: a nonprofit hosting 50 TB of climate data with 10 TB/month of researcher downloads was eating ~$900/month in egress on top of ~$1,150 storage; Requester Pays moved the $900 to the consuming institutions

Do this

  1. Find the bucket where egress > storage on the bill (Cost Explorer, filter S3 usage types to DataTransfer-Out-Bytes). That's the candidate.

  2. Docs first, switch second. The rollout order that avoids a support-ticket wave: update the README/portal ("this dataset uses Requester Pays; you need an AWS account and the flag"), announce it, then flip:

    aws s3api put-bucket-request-payment --bucket YOUR-BUCKET \
      --request-payment-configuration Payer=Requester
    
  3. Show consumers the magic words:

    aws s3 cp s3://shared-bucket/dataset.parquet . --request-payer requester
    

    (SDK/API: the x-amz-request-payer: requester header.) Without it they get Access Denied — there's no graceful fallback.

  4. Test on one low-traffic bucket first, verify flagged requests work and unflagged ones fail cleanly, then roll to the heavy hitters.

  5. Pair with S3 Access Logs + Athena so you can see who pulls what — once consumers pay their own way, usage analytics become both possible and politically easy.

Gotchas

  • Anonymous access is dead on arrival. AWS must know whom to bill. Public-website buckets, unauthenticated portals, and unsigned CloudFront origins are ineligible without rearchitecting.
  • Expect one bumpy week internally — legacy scripts and notebooks fail until people add the flag. A Slack post and a wiki entry clear most of it.
  • It shifts reads, not everything. Storage, writes, versioning, and replication stay on your bill; the win is egress + GETs.
  • Non-technical audiences hate the friction. If your consumers can't handle a CLI flag, consider CloudFront with caching or the AWS Open Data program instead.

Skip this if

  • The data must stay anonymously public.
  • Egress is immaterial (small files, rare pulls) — the friction isn't worth it.
  • Your real problem is your own traffic patterns — that's a CloudFront/egress conversation, not a billing-shift one.

Run this audit with your AI assistant

Paste this into Claude, ChatGPT, or any agent that can run the AWS CLI with read-only credentials. It audits your account for exactly the waste this sheet describes — and changes nothing.

You are auditing an AWS account for S3 Requester Pays opportunities.
Use the AWS CLI with READ-ONLY credentials. Do not create, modify, or
delete anything — report findings and recommended (unapplied) fixes only.

1. Per bucket: current Requester Pays state
   (aws s3api get-bucket-request-payment), bucket policy (is it shared
   cross-account or public?), and size.
2. Find egress-heavy shared buckets: if Cost Explorer access is
   available, pull S3 DataTransfer-Out-Bytes by usage type; otherwise
   use CloudWatch request metrics (BytesDownloaded) where enabled.
   Candidates = buckets where monthly egress cost rivals or exceeds
   storage cost AND consumers are external accounts or other internal
   BUs (bucket policy grants to foreign principals).
3. Hard blocker check: buckets serving ANONYMOUS public reads (public
   policy / website hosting / CloudFront origin without OAC signing) —
   Requester Pays breaks anonymous access; list these as ineligible or
   needing a distribution rethink.
4. Estimate the shift: egress ~$0.09/GB (first tiers) plus GET fees
   move to requesters; owner keeps storage + writes.

Report: candidate table (bucket | size | est. egress $/mo | consumers |
eligible?), the ineligible-but-expensive list with alternatives
(CloudFront, AWS Open Data program), and a rollout checklist (docs
first, announce, flip one low-traffic bucket, then the big ones). Do
NOT change any bucket settings.
Works with any assistant that can run shell commands.

Want the guided version?

The S3 Requester Pays walkthrough covers this topic interactively — it asks about your setup, branches to what’s relevant, and quizzes you on the tricky parts. Free and anonymous.

Start the walkthrough