HN
Today

Bucketsquatting Is (Finally) Dead

AWS has finally introduced a solution to the decade-long 'bucketsquatting' security vulnerability in S3, leveraging a new account-scoped naming convention. This update addresses a critical issue where attackers could re-register deleted bucket names to gain access to sensitive data or disrupt services. The Hacker News discussion reflects both relief at the fix and debates on cloud provider naming design choices and the time it took to resolve.

30
Score
12
Comments
#1
Highest Rank
11h
on Front Page
First Seen
Mar 13, 9:00 AM
Last Seen
Mar 13, 7:00 PM
Rank Over Time
1111334671015

The Lowdown

For years, AWS S3 users have faced a security risk known as bucketsquatting, where the global uniqueness of S3 bucket names meant that a deleted bucket's name could be claimed by an attacker. This allowed for potential data hijacking or service disruption. AWS has now rolled out a new naming convention to effectively mitigate this.

The core problem stemmed from:

  • Global Uniqueness & Re-registration: Once an S3 bucket is deleted, its globally unique name becomes available for anyone to register, creating a window for malicious actors.
  • Predictable Naming: Many organizations use predictable patterns (e.g., myapp-us-east-1), making it easier for squatters to guess and claim previously used names.

AWS's solution introduces a new namespace syntax: <yourprefix>-<accountid>-<region>-an. This new pattern ensures:

  • Account Scope: Only the account owning the namespace can create buckets with that specific name, preventing external bucketsquatting.
  • Enforcement: AWS recommends this pattern by default and allows security administrators to enforce it organization-wide using the s3:x-amz-bucket-namespace condition key in SCP policies.
  • Backward Incompatibility: It does not retroactively protect existing buckets, requiring migration for comprehensive coverage.

Compared to other major cloud providers, Google Cloud Storage uses domain name verification for some buckets, and Azure Blob Storage scopes containers within unique storage accounts, which inherently lessens the re-registration attack surface, although Azure still faces its own unique naming challenges. This change by AWS marks a significant step in S3 security, moving the problem from 'recurring issue' to 'dying'.

The Gossip

Delayed Deliverance

Many commenters expressed surprise and a touch of exasperation that it took AWS a full decade to roll out a definitive solution to bucketsquatting. While acknowledging the complexity of such changes in a vast system like AWS, the sentiment was that a critical security vulnerability like this should have been addressed much sooner.

Azure's Analogous Annoyances

A significant portion of the discussion shifted to Azure Blob Storage, where users highlighted similar frustrations regarding globally unique 'storage account' names. Commenters argued that Azure's naming scheme, despite having a 'container name' layer, still creates a bottleneck and potential for naming conflicts, echoing AWS's previous issues and hoping Microsoft will follow suit with similar account-scoped naming.

Questioning Cloud Quirks

Some users debated AWS's architectural choices, questioning why the system couldn't simply prevent name reuse or suggesting simpler alternatives like hashing bucket names. This spurred a discussion on the complexities of global uniqueness, deletion policies, and the trade-offs involved in designing such massive cloud storage systems, with others arguing that hashing wouldn't solve all attack vectors.

Humorous Hiccups

Predictably, the term 'bucketsquatting' itself proved a source of amusement and misinterpretation for some, leading to light-hearted jokes and off-topic imagery in the comments. This provided a brief, entertaining interlude amidst the more technical discussions.