Bucketsquatting is finally dead

Posted by boyter 14 hours ago

Bucketsquatting is finally dead(onecloudplease.com)

285 points | 151 commentspage 3

ClaudeFixer 11 hours ago|

Good riddance. The number of production deploys I've seen pointing at bucket names that could've been claimed by anyone was wild. Glad this is finally getting closed off at the platform level instead of relying on everyone to not make the mistake.

coredog64 3 hours ago|

There are other mitigations though: You can pass expected owner accountId on S3 operations and you can create SCPs that restrict the ability of roles to write to buckets outside the account. Unless you have an account that does many cross-account S3 writes, the latter is a simple tool to prevent exfiltration. Well, simple assuming that you're already set up with an Organization and can manage SCPs.

[0] https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket...

pooplord69 7 hours ago||

Does it still take like an hour to rename one?

amne 9 hours ago||

I hope nobody wanted "ecommerce-admin". sorry

Aardwolf 13 hours ago||

Why all that stuff with namespaces when they could just not allow name reuse?

hrmtst93837 11 hours ago||

If you block name reuse globally, you introduce a new attack surface: permanent denial by squatting on retired names. Companies mess up names all the time from typos, failed rollouts, or legal issues. A one-shot policy locks everyone into their worst error or creates a regulatory mess over who can undo registrations.

Namespaces are annoying but at least let you reorganize or fix mistakes. If you want to prevent squatting, rate limiting creation and deletion or using a quarantine window is more practical. No recovery path just rewards trolls and messes with anyone whose processes aren't perfect.

orf 12 hours ago|||

That would be a huge breaking change. Any workload that relies on re-using a bucket name would be broken, and at the scale of S3 that would have a non-trivial customer impact.

Not to mention the ergonomics would suck - suddenly your terraform destroy/apply loop breaks if there’s a bucket involved

afandian 12 hours ago||

Any workload that relies on re-using a bucket name is broken by design. If someone else can get it, then it's Undefined Behaviour. So it's in keeping with the contract for AWS to prevent re-use. Surely?

orf 12 hours ago||

Think terraform tests, temporary environments, etc. Or anything else: it’s Hyrum's Law.

iknownothow 12 hours ago|||

Potential reasons I can think of for why they don't disallow name reuse:

a) AWS will need to maintain a database of all historical bucket names to know what to disallow. This is hard per region and even harder globally. Its easier to know what is currently in use rather know what has been used historically.

b) Even if they maintained a database of all historically used bucket names, then the latency to query if something exists in it may be large enough to be annoying during bucket creation process. Knowing AWS, they'll charge you for every 1000 requests for "checking if bucket name exists" :p

c) AWS builds many of its own services on S3 (as indicated in the article) and I can imagine there may be many of their internal services that just rely on existing behaviour i.e. allowing for re-creating the same bucket name.

dwedge 12 hours ago||

I can't accept a) or b). They already need to keep a database of all existing bucket names globally, and they already need to check this on bucket creation. Adding a flag on deleted doesn't seem like a big loss.

As for c), I assume it's not just AWS relying on this behaviour. https://xkcd.com/1172/

CodesInChaos 13 hours ago|||

I'd allow re-use, but only by the original account. Not being able to re-create a bucket after deleting it would be annoying.

I think that's an important defense that AWS should implement for existing buckets, to complement account scoped bucket.

wiether 11 hours ago||

Then they should allow bucket ownership transfer...

JoBrad 11 hours ago||

I think a better policy would be to disallow bucket names that follow the account regional namespace convention, but don’t match the account id indicated in the name.

NetMageSCW 6 hours ago||

So no bucket sharing across accounts?

lsaferite 10 hours ago||

I mean, why isn't this just the mandatory default going forward? Globally shared, unique bucket names always struck me as a horrible idea.

GuinansEyebrows 7 hours ago||

this seems nice but it's a little annoying if you've been using terraform's `bucket_prefix` to create buckets. i wonder if/when they'll update that or if they'll add a new bucket_name argument that uses the new namespacing.

A7OM 3 hours ago||

About time. Cloud storage misconfigurations have been low hanging fruit for attackers for years. Surprised it took this long to close.

sriramgonella 13 hours ago||

[dead]

shablulman 13 hours ago||

[dead]

perunamies 10 hours ago|

[flagged]

More comments...