AWS GovCloud misconfig trends

Amazon announced account‑regional namespaces for Amazon S3 on March 12, 2026, making the feature available in 37 AWS Regions including AWS GovCloud (US). (aws.amazon.com) The namespace binds bucket names to an owning account and region using an account suffix (examples published show patterns like myapp‑123456789012‑us‑west‑2‑an), and CreateBucket requests from other accounts now return InvalidBucketNamespace for those names. (byteiota.com) Public proof‑of‑concept research and reporting showed bucketsquatting could let attackers register deleted or predictable names and siphon traffic or data; one analysis cited an experiment that intercepted ~8 million requests from government and enterprise targets with a low cost setup. (bleepingcomputer.com) AWS Identity and Access Management documentation defines the cross‑service “confused deputy” problem where overly broad service‑principal trusts let attackers act through trusted AWS services, and AWS recommends using condition keys such as aws:SourceAccount and aws:SourceArn to scope service write operations. (docs.aws.amazon.com) Praetorian’s Aurelian — an open‑source cloud security testing framework written in Go — ships roughly 25 modules that perform live IAM policy evaluation, validate discovered credentials against STS, and map privilege‑escalation paths into Neo4j to expose cross‑account attack chains. (praetorian.com) AWS documents a CreateBucket header and CloudFormation support to opt into the account‑regional namespace and recommends enforcement via SCPs/IAM policies, but the account‑regional option must be explicitly selected or migrated in existing accounts in GovCloud. (aws-news.com)