AWS S3: Account Regional Namespaces End Bucket Squatting
Amazon S3 now allows account-bound bucket names. This ends bucket squatting for new buckets and simplifies naming in multi-account setups.
(Image: heise medien)
Amazon Web Services (AWS) has introduced Account Regional Namespaces for Amazon S3 General Purpose Buckets. This allows customers to create bucket names in a reserved namespace per account and region – the previously applicable globally unique naming convention thus becomes optional. The feature has been available since March 12, 2026, in 37 AWS regions, including the Frankfurt region eu-central-1.
As AWS explains in its blog, the new bucket names follow the schema <prefix>-<account-id>-<region>-an. For example: mybucket-123456789012-us-east-1-an. The suffix consisting of account ID, region, and the abbreviation an is counted towards the maximum allowed 63 characters of the bucket name, so the available prefix length varies depending on the region. Only the respective account owner can create buckets with their suffix – other accounts will receive an appropriate error.
AWS is thus addressing a central problem: so-called bucket squatting (also known as bucket sniping). Attackers register deleted or predictable global bucket names to intercept traffic or disrupt services. Since many organizations use predictable naming conventions like myapp-us-east-1, the risk has been high. The new feature completely prevents this for new buckets, as the names are reserved exclusively for the account.
Enforcement via IAM Policy and SCP
AWS provides a new condition key s3:x-amz-bucket-namespace, with which administrators can enforce the use of Account Regional Namespaces via IAM policies or Service Control Policies (SCP). In multi-account setups within AWS Organizations, this can ensure organization-wide that only account-bound bucket names are created. AWS recommends using the new namespaces by default for all new buckets, unless there are compelling reasons against it.
Videos by heise
Creation and IaC Support
In the AWS Management Console, when setting up a bucket, "Account Regional namespace" can be directly selected as the namespace option. Via the AWS CLI, a bucket in the new namespace is created as follows: aws s3api create-bucket --bucket mybucket-123456789012-us-east-1-an --bucket-namespace account-regional --region us-east-1. For Python developers, AWS provides a Boto3 example in the blog with dynamic name generation via STS. CloudFormation already supports the feature with the parameters BucketNamespace and BucketNamePrefix. Terraform support, on the other hand, is still in progress – a corresponding GitHub issue was opened on March 12, 2026.
Existing S3 buckets remain unaffected by the change. Renaming existing buckets is not possible; those who wish to migrate must create new buckets in the regional namespace and transfer the data, for example, via aws s3 sync. All S3 features and APIs are fully compatible with the new namespaces; according to AWS, no changes to existing applications are necessary. There are no additional costs for using Account Regional Namespaces.
Currently, only the Middle East (Bahrain) and Middle East (UAE) regions are excluded from availability. Amazon's object storage S3 recently celebrated its 20th anniversary – the new namespaces now close a security vulnerability in the service's naming concept that has been known for years.
(fo)
