March 13, 2026

Spill alert: bucket beef brews

Article URL →HN comments →

Bucketsquatting Is (Finally) Dead

AWS fixes a decade-old bucket mess—and the comments are on fire

TLDR: Amazon added an account‑and‑region‑locked naming pattern to stop hijacked cloud storage names, and it’s now the recommended default. Commenters cheered the fix while roasting the decade‑long wait, debating “just use random names,” arguing about Azure, and asking why AWS didn’t simply ban name reuse—important because it stops accidental data leaks.

After ten years of “we’ll get to it,” Amazon finally rolled out a fix to stop “bucketsquatting,” the sneaky trick where someone grabs your old cloud storage name after you delete it and waits for your apps to spill data. The cure? A new bucket name pattern with an account‑locked suffix (think “-an”) that ties names to your specific account and region—AWS even says it should be the default, and admins can enforce it with policies. Translation: fewer “whoops, we uploaded secrets to a stranger” moments.

But the internet doesn’t hand out gold stars without drama. One camp shrugged and said “just make names unguessable”, with lijok dropping the mic: “Hash your bucket names.” Another group is stunned it took a decade, while Aardwolf asked the obvious: why not simply ban name reuse? Meanwhile, cross‑cloud sparks flew as vhab argued the post misread Azure’s setup, saying Microsoft’s world can have the same problem. And then the tinfoil hats came out: thih9 joked this was written by “bucket squatters” hoping AI bots will trigger mass bucket migrations and free up old names.

The vibe: relief that the trap is finally closing, snark about how long it took, and memes about bucket lists and spillovers. The fix is real, but the shade is legendary. Read the AWS post here.

Key Points

  • AWS introduced an account-regional namespace for S3 that ties bucket names to an owning account and region using a “-an” suffix.
  • Only the account that owns the namespace can create matching bucket names; other accounts receive an InvalidBucketNamespace error.
  • A region mismatch between the bucket name and the actual bucket region also triggers an InvalidBucketNamespace error.
  • AWS recommends using this namespace pattern by default and enables enforcement via the s3:x-amz-bucket-namespace condition key (including in Organizations SCPs).
  • The change does not retroactively protect existing buckets or templates lacking the namespace pattern.

Hottest takes

"Huh? Hash your bucket names" — lijok
"My pet conspiracy theory: this article was written by bucket squatters who want to claim old bucket names after AI agents read this and blindly follow" — thih9
"Why all that stuff with namespaces when they could just not allow name reuse?" — Aardwolf

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.