AWS GovCloud misconfig attacks on the rise

AWS announced account-regional namespaces for Amazon S3 in March 2026, rolling the feature out to 37 AWS Regions — explicitly including AWS GovCloud (US) — to eliminate global bucket-name collisions at the account/region level. (aws.amazon.com) Independent posts and researcher writeups that traced the "bucket‑squatting" attack class described large-scale exploitation paths and economics, with one analysis claiming attackers could intercept millions of requests for a few hundred dollars before the namespace fix landed. (hackaws.cloud) AWS documentation and vendor analyses map the confused‑deputy pattern to service principal trust gaps and prescribe scoped principal conditions, STS-based controls and cross‑account condition keys as mitigations for services that write to customer buckets like CloudTrail and ELB. (docs.aws.amazon.com) Praetorian’s Aurelian is an open‑source Go framework that ships roughly 25 modules, evaluates resource policies using live IAM evaluation logic, validates discovered credentials against live STS endpoints, and maps privilege‑escalation paths into a Neo4j graph for triage. (praetorian.com) Aurelian is positioned to run as a CLI or Go library and to integrate with Praetorian’s Titus (secrets discovery) and Trajan (CI/CD testing), producing a consolidated JSON inventory of public resources, hardcoded credentials and one‑IAM‑policy‑away escalation paths within days. (praetorian.com) HelpNetSecurity and an associated Vectra AI webinar summarized remediation playbooks that combine S3 namespace adoption, tightened service principal conditions, and continuous multi‑cloud policy testing—steps that align with the operational controls now available in GovCloud and the scanning capabilities Aurelian automates. (helpnetsecurity.com)