Comment by ian_d
18 hours ago
The _really_ fun bucket squatting attacks are when the cloud providers themselves use deterministic names for "scratch space" buckets. There was a good DC talk about it at DC32 for AWS, although actual squatting was tough because there was a hash they researchers couldn't reverse (but was consistent for a given account?): https://www.youtube.com/watch?v=m9QVfYVJ7R8
GCP, however, has does this to itself multiple times because they rely so heavily on project-id, most recently just this February: https://www.sentinelone.com/vulnerability-database/cve-2026-...
That was an amazing talk, thanks for sharing! I could see the writing on the wall as soon as I saw the bucket names were predictable. Bucket squatting + public buckets + time of check/time of use in the CloudFormation service = deploying resources in any AWS account with enough persistence. I'm surprised this existed in AWS for so long without being flagged by AWS Security.