AWS killed bucketsquatting yesterday (March 12, 2026) with account regional namespaces for S3 buckets. Only your AWS account can create buckets with your account ID in the name—eliminating a vulnerability that enabled massive supply chain attacks. Security researchers previously demonstrated they could intercept 8 million requests to squatted buckets costing just four hundred dollars, affecting government networks and Fortune 500 companies. That attack surface just disappeared for new buckets.
What Bucketsquatting Was and Why It Was Dangerous
Bucketsquatting exploited S3’s globally unique naming system. When you deleted a bucket, anyone could claim that name seconds later. Attackers registered deleted bucket names and intercepted data or served malicious content to applications still referencing the old bucket.
WatchTowr researchers spent four hundred dollars to register roughly 150 abandoned buckets and received over 8 million requests over two months. These included software updates, unsigned binaries, VM images, and SSLVPN configurations from government networks in the US, UK, Poland, Australia, South Korea, Turkey, Taiwan, and Chile. Military systems, Fortune 500 companies, major payment networks, and global banks all made requests to buckets now owned by security researchers—a supply chain attack that would have dwarfed SolarWinds if executed maliciously.
Organizations using predictable bucket names like company-prod-us-west-2 or app-backups-eu-central-1 were especially vulnerable. Moreover, attackers could predict naming patterns, wait for bucket deletion, and claim the name before the original owner noticed. Consequently, the global namespace created a race condition with no grace period and no ownership verification.
How AWS Fixed It: Account Regional Namespace
The new namespace follows this format: prefix-accountid-region-an. For example: myapp-123456789012-us-west-2-an. The -an suffix denotes account namespace. Only your account matching the account ID 123456789012 can create buckets with this pattern—AWS returns an InvalidBucketNamespace error if another account tries.
Even after deleting a bucket, only your account can re-register it. The race condition is gone. Furthermore, the namespace works with all existing S3 features at no additional cost and is available in 37 AWS regions including AWS China and GovCloud. Functionally identical to global namespace buckets—the only difference is protection.
What Developers Must Do Now
Adopt account regional namespace for all new buckets immediately. Update your infrastructure-as-code templates (Terraform, CloudFormation, CDK) to use the new naming format. Security teams can enforce this org-wide using Service Control Policies with the new s3:x-amz-bucket-namespace condition key—denying s3:CreateBucket unless the namespace equals account-regional.
For critical existing buckets such as public-facing dependencies and supply chain artifacts, plan manual migration. AWS does not support bucket renaming, so you will create a new bucket with the account namespace format, copy data, update all references in code and documentation, then delete the old bucket. Prioritize high-risk buckets first—those with predictable names or external dependencies.
The Reality: Existing Buckets Still Vulnerable
This is not retroactive protection. Millions of existing buckets remain in the global namespace and still vulnerable to squatting after deletion. Additionally, public GitHub repositories contain hardcoded bucket names in deployment scripts. Published infrastructure-as-code templates reference old naming patterns. Therefore, the attack surface persists for legacy infrastructure that has not migrated.
Organizations face a years-long tail of cleanup. The new namespace protects new infrastructure going forward, but the old vulnerability does not vanish overnight. AWS made the namespace optional not mandatory to avoid breaking existing deployments—but that means developers can still create vulnerable buckets if they ignore the new standard. Hence the importance of SCP enforcement.
Key Takeaways
- AWS account regional namespace ends bucketsquatting for new buckets March 12, 2026
- Naming format: prefix-accountid-region-an prevents other accounts from claiming your bucket names
- WatchTowr research proved attack potential: four hundred dollar investment intercepted 8M requests from governments and Fortune 500s
- Adopt new naming immediately for all new buckets—enforce via SCP policies to prevent non-compliant creation
- Existing buckets remain vulnerable—plan migration for critical infrastructure, especially buckets with predictable names or supply chain dependencies
