Bucketsquatting Is (Finally) Dead
20 hours ago
- #AWS S3
- #Cloud Security
- #Bucketsquatting
- AWS has introduced a new namespace protection for S3 buckets to prevent bucketsquatting/bucketsniping.
- The new namespace syntax is `<yourprefix>-<accountid>-<region>-an`, ensuring only the account owner can create buckets with that name.
- AWS recommends using this namespace pattern by default for all new buckets to enhance security.
- Security administrators can enforce this namespace usage via SCP policies using the `s3:x-amz-bucket-namespace` condition key.
- Existing buckets are not retroactively protected; migration to new namespaced buckets is required for security.
- Google Cloud Storage and Azure Blob Storage have different mechanisms that mitigate similar issues.