Cloud Bucket Hijacking Attack: Technical Analysis and Defense
Hoplon InfoSec
28 Jun, 2026
Content Summary: Cloud bucket hijacking attack is a cloud data exfiltration technique disclosed by Palo Alto Networks Unit 42 researcher Yahav Festinger on June 22, 2026. The core issue is simple but serious: if an attacker can delete a cloud storage bucket and recreate the same globally unique bucket name in another account, active data streams such as audit logs, telemetry, object replication, and diagnostic exports may continue writing to the attacker controlled bucket. Unit 42 confirmed the technique across Google Cloud, AWS, and Microsoft Azure, and stated that no real world threat actor had been identified using it at the time of disclosure.
Cloud bucket hijacking attack processCloud Bucket Hijacking Attack: How Attackers Reroute Cloud Data Streams
What if your cloud logs were still “successfully delivered,” but they were no longer going to your cloud account? That is the uncomfortable idea behind the cloud bucket hijacking attack disclosed by Palo Alto Networks Unit 42 on June 22, 2026. It affects the way cloud providers use globally unique storage names for automated data streams across Google Cloud, AWS, and Microsoft Azure.
The cloud bucket hijacking attack matters because it does not look like a normal public bucket exposure. It is not simply a bucket left open to the internet. It is more subtle. The attacker targets the destination of an active cloud data stream, such as a logging sink, S3 replication rule, Firehose stream, or Azure diagnostic export. If the attacker can delete the original bucket and reclaim the same bucket name elsewhere, the stream may keep sending data to the same name, even though the owner behind that name has changed.
Quick Incident Table
| Attribute | Detail |
|---|---|
| Research disclosed by | Yahav Festinger, Palo Alto Networks Unit 42 |
| Disclosure date | June 22, 2026 |
| Main issue | Global namespace risk in cloud storage bucket names |
| Confirmed cloud providers | Google Cloud, AWS, Microsoft Azure |
| Main attack outcome | Cloud data stream exfiltration |
| Data at risk | Audit logs, telemetry, object replication data, diagnostic logs, backup streams |
| Public exploitation status | Unit 42 had not identified real world threat actor use at disclosure time |
| CVE status | No CVE is listed in the public Unit 42 report. The research describes an architectural design issue rather than a traditional code vulnerability. |
| Detection challenge | The stream can appear healthy because the destination name still resolves |
What Cloud Bucket Hijacking Attack?
Cloud bucket hijacking attack is a cloud security technique where an attacker takes over the name of a storage bucket that is still referenced by automated data streams. In plain language, imagine a company has a mailbox called “company security logs.” Every night, different systems drop sensitive reports into that mailbox. One day, an attacker removes the original mailbox and quickly puts a new mailbox with the exact same name in another location. The delivery workers keep delivering because the name looks right.
That is the uncomfortable part. Many cloud data pipelines are configured around destination names. A log router, replication rule, or diagnostic setting may keep pointing to the same bucket name, even after the bucket has been deleted and recreated under another account. Unit 42 describes this as a global namespace risk, where the destination identity is tied to a name string instead of an immutable owner identity.
This is different from classic cloud storage misconfiguration. In a public bucket exposure, the data is already sitting in a bucket and unauthorized users can read it because permissions are too open. In a cloud bucket hijacking attack, the attacker may not need public access at all. The attacker tries to redirect future data flows, especially logs and telemetry, into a bucket they control.
It is also different from a dangling DNS takeover. A dangling DNS issue usually happens when an old domain or subdomain still points to a deleted cloud resource. Bucket hijacking is about active cloud data movement. The victim’s system may still believe it is doing the right thing because the configured destination has not changed.
Why This Matters Right Now
Most security teams treat cloud logs as the evidence room. When something goes wrong, they open audit logs, CloudTrail events, diagnostic logs, object access logs, and telemetry streams to understand what happened. If those records are silently copied into an attacker controlled environment, the attacker gains a forward looking view of the company’s security posture.
Think about what could be inside those streams. Audit logs may reveal administrator activity. Telemetry may show endpoint behavior. Replication streams may carry business data, backups, or application objects. Diagnostic exports may include resource names, IP addresses, request metadata, and system behavior patterns.
The cloud bucket hijacking attack is also troubling because it uses normal cloud behavior. The attacker does not need to break encryption with magic. They do not need to exploit a memory corruption bug. They misuse the relationship between global bucket names, deletion permissions, and autonomous data routing.
This is why cloud security teams should treat bucket deletion as a sensitive action. In many organizations, storage deletion permissions are handed out more casually than logging update permissions. That creates a strange security gap. A user may not be allowed to modify a log sink directly, but they may still be allowed to delete the bucket receiving that log stream.
The Root Cause: Global Namespace Risk in Cloud Storage
The root cause is not one weak password or one bad firewall rule. It sits deeper in the architecture. Major cloud platforms often require bucket or storage account names to be unique across a broad namespace. That design makes routing simple. A service can send data to a recognizable storage name without needing a more complicated ownership check each time.
Unit 42’s research explains that cloud data streams often use buckets as fixed destinations for logs, telemetry, replication, and long term retention. These streams can run in the background after initial setup. That is convenient for operations, but it can become risky if the system keeps trusting the name after ownership changes.
A better way to understand it is to think of a phone number. If a business gives customers a support number, everyone keeps calling that number. If someone else somehow takes ownership of the same number, the callers may not know. The number did not change, but the person answering did.
Cloud storage names can behave in a similar way. The name remains familiar. The owner behind the name may not.
Why Bucket Names Are Globally Unique
Cloud providers use globally unique bucket names for practical reasons. It simplifies addressing, routing, and integration. When a service writes to a bucket, it can resolve a single destination name.
That simplicity has a cost. If a deleted name becomes available again, another account may be able to claim it, depending on provider behavior and configuration. In a cloud bucket hijacking attack, the attacker abuses that name reuse window.
AWS, Google Cloud, and Azure do not behave identically. Azure has soft delete behavior that reduces cross tenant reuse in some cases. Unit 42 still confirmed a cross subscription variant inside the same tenant when a deleted storage account name was recreated in another subscription.
How Data Streams Bind to Bucket Names
Cloud data streams often run through a router resource. In Google Cloud, a logging sink routes log entries to supported destinations. Google’s documentation says sinks can route log entries to destinations such as Cloud Storage buckets, Pub/Sub topics, BigQuery datasets, and log buckets, and a Cloud Storage bucket can be in the same project or a different project.
In AWS, S3 replication can copy objects from one bucket to another. Amazon Data Firehose can also deliver streaming data to an S3 destination, with AWS documentation requiring an S3 bucket destination for that delivery path.
In Azure, diagnostic settings can export resource logs and metrics to a storage account. Unit 42 found that Azure Monitor diagnostic pipelines could continue writing after a same tenant, cross subscription storage account recreation scenario.
| Cloud Provider | Stream Type | Example Service | Why It Matters |
|---|---|---|---|
| Google Cloud | Log routing | Cloud Logging Sink | Can export audit logs and operational logs to Cloud Storage |
| Google Cloud | Event delivery | Pub/Sub to Cloud Storage | Can move messages into object storage |
| Google Cloud | Data migration | Storage Transfer Service | Can sync or move objects into destination buckets |
| AWS | Object replication | S3 Replication | Can copy new objects from source to destination |
| AWS | Streaming ingestion | Amazon Data Firehose | Can deliver streaming records into S3 |
| Azure | Diagnostic export | Azure Monitor Diagnostic Settings | Can send logs and metrics to a storage account |
How the Cloud Bucket Hijacking Attack Works
A cloud bucket hijacking attack usually needs one of two conditions. The first is a compromised identity with permission to delete a bucket. The second is a dangling router resource where a bucket was already deleted, but the stream configuration still points to the old name.
The first case is more active. An attacker compromises a cloud identity, finds a bucket used as a stream destination, deletes it, then quickly recreates the same bucket name under an attacker controlled account. The stream may continue writing because the destination name is still valid.
The second case is quieter. A team may clean up a bucket but forget to remove the log sink, replication rule, transfer job, or diagnostic setting. If an attacker later claims the old bucket name, the abandoned route may start feeding them data. Unit 42 describes dangling router resources as one of the possible exploitation scenarios.
Step by Step Attack Flow
The attack flow is not complicated, which is exactly why it deserves attention.
- The attacker gains access to a cloud identity with storage deletion permissions.
- The attacker identifies a bucket used as a destination for logs, replication, transfer jobs, or diagnostic exports.
- The attacker deletes the destination bucket.
- The attacker immediately recreates a bucket with the identical name in an attacker controlled account or subscription, depending on the provider.
- The existing data stream keeps writing to the same bucket name.
-
Sensitive cloud data begins landing in the attacker controlled environment.
This is not the same as changing a logging configuration. In fact, that is the clever part. The attacker may avoid touching the router configuration directly. If the sink or replication rule still points to the same name, the visible configuration can look normal.
Why Detection Is So Hard
Security teams often alert when a log sink is modified. That is useful, but this technique may not modify the sink. The attacker changes the storage destination underneath it by deleting and reclaiming the bucket name.
Unit 42 notes that detection is challenging because the data stream can continue operating and the sink configuration may still appear valid after recreation. In environments where destination buckets are used for backup or long term retention, the first deletion may not be noticed quickly.
That creates a painful gap. The logs may not scream. The pipeline may not fail. A dashboard may still look green. Meanwhile, the wrong account receives the data.
Per Cloud Technical Breakdown
The cloud bucket hijacking attack is not a single vendor issue. Unit 42 tested the pattern across multiple cloud platforms and found variations based on each provider’s storage and routing behavior.
Google Cloud Logging Sink Hijacking
In Google Cloud, Unit 42 simulated the issue with Cloud Logging sinks, Pub/Sub subscriptions with Cloud Storage destinations, and Storage Transfer Service jobs. The important finding was that deletion permissions such as storage.buckets.delete and storage.objects.delete could bypass the need for more specific update permissions like logging.sinks.update, pubsub.subscriptions.update, or storagetransfer.jobs.update.
That difference matters in real environments. Many teams protect configuration update permissions carefully but allow broad storage administrator roles for operations. If a compromised account has storage deletion rights, the attacker may not need permission to edit the log sink at all.
This is where attack surface management becomes practical rather than theoretical. Teams need to know which buckets are destinations for sensitive streams, who can delete them, and whether any router resources point to missing storage.
AWS S3 Replication and Firehose Risk
In AWS, Unit 42 successfully simulated the attack using S3 bucket replication. They created a replication rule, deleted the destination bucket, recreated the same name in an external account, uploaded a file to the source bucket, and saw the file appear in the external destination. They also observed similar behavior with Amazon Data Firehose where the destination was S3.
AWS environments often rely heavily on S3 for logs, backups, analytics, and data lakes. That makes S3 deletion permissions sensitive. A developer may see DeleteBucket as a cleanup permission, but in the wrong context it can become an exfiltration enabler.
For organizations using centralized logging or cloud storage and disaster recovery, the lesson is clear. The destination bucket is not just storage. It is part of the trust boundary.
Azure Monitor Diagnostic Settings Attack
Azure’s version is more limited, but still important. Unit 42 found that Azure platform limitations prevent immediate reuse of storage account names across different tenants for several days after deletion. However, they confirmed a same tenant, cross subscription scenario using Azure Monitor diagnostic settings.
The Azure case is interesting because the configuration may store an Azure Resource Manager resource ID, but the internal pipeline resolves the storage account through its DNS name at runtime. If the name is recreated in another subscription inside the same tenant, diagnostic data may continue flowing.
This makes Azure less exposed than AWS or Google Cloud in the tested scenario, but not immune. Security teams should still review storage account deletion rights, diagnostic destinations, and subscription boundaries.
IAM Privilege Escalation and the Overprivileged Role Problem
The real weakness behind many cloud incidents is not always a zero day. Sometimes it is a role with too many permissions. Bucket deletion rights are a perfect example.
Unit 42 explains that broad storage administrator roles can grant deletion privileges by default. In Google Cloud, the Storage Admin role includes storage.buckets.delete, while the more granular permissions needed to modify data stream configurations are separate.
That means an attacker may turn a storage admin permission into a data stream redirection path. This is why cloud IAM privilege escalation is not only about becoming a full administrator. It can also mean using one permission in a way the organization did not expect.
| Cloud | Risky Permission | Commonly Seen In | Why It Is Dangerous |
|---|---|---|---|
| Google Cloud | storage.buckets.delete | Storage Admin role | Can remove a destination bucket used by log sinks or transfer jobs |
| AWS | s3:DeleteBucket | Broad S3 or admin policies | Can remove an S3 destination used by replication or Firehose |
| Azure | Microsoft.Storage/storageAccounts/delete | Storage Account Contributor style access | Can remove diagnostic storage destinations |
| A mature penetration testing program should test these paths. Not just “Can this identity read data?” but “Can this identity redirect future data by deleting a destination?” |
Cloud Bucket Hijacking Attack vs Related Cloud Storage Risks
Cloud storage attacks often get grouped together, but they are not the same. That causes confusion during risk reviews.
| Technique | Access Needed | What Gets Exposed | Detection Difficulty |
|---|---|---|---|
| Cloud bucket hijacking attack | Bucket deletion permission or abandoned router resource | Future data streams, logs, telemetry, replicated objects | Very hard after execution |
| Public bucket exposure | Poor bucket permissions | Existing stored objects | Easier with scanning |
| Dangling DNS takeover | Claimable abandoned cloud resource | Web traffic, app assets, user requests | Moderate |
| Bucket policy injection | Policy write permission | Current or future object access | Moderate |
| Ransomware against storage | Delete, encrypt, or overwrite access | Stored objects and backups | Often detected during recovery |
| The cloud bucket hijacking attack is especially concerning because it targets future data. Public bucket exposure is like finding an unlocked file cabinet. Bucket hijacking is like changing where tomorrow’s confidential mail gets delivered. |
Impact on Compliance, Audit, and Incident Response
The biggest business risk is not only data theft. It is loss of trust in evidence.
Audit logs are used to prove what happened. Compliance teams rely on them for SOC 2, ISO 27001, PCI DSS, HIPAA, and incident response reviews. If those logs are silently routed outside the trusted environment, the organization may lose log integrity and chain of custody.
For example, a payment company may export logs to S3 for PCI evidence. A healthcare provider may route diagnostic logs for investigation and retention. A SaaS company may send Cloud Logging exports to a storage bucket for long term analysis. In each case, a cloud bucket hijacking attack could quietly weaken the evidence trail.
| Compliance Area | Requirement at Risk | Practical Impact |
|---|---|---|
| PCI DSS | Audit log integrity and retention | Logs may be copied outside the trusted environment |
| SOC 2 | Availability and confidentiality of system evidence | Audit chain becomes harder to prove |
| ISO 27001 | Access control and logging governance | Unauthorized log destination creates control failure |
| HIPAA | Protection of audit trails and possible ePHI in logs | Sensitive metadata may leave the controlled environment |
| GDPR | Security of processing and data transfer controls | Data may move to an unauthorized location |
| This is where security compliance, SOC 2 compliance audits, and PCI audit service should include cloud storage destination validation. It is not enough to ask whether logs exist. Teams should ask where they are going, who owns the destination, and who can delete it. |
How to Prevent Cloud Bucket Hijacking Attack
The best defense is boring in the best possible way: restrict deletion, enforce data boundaries, and monitor the right events. Fancy dashboards help, but the first control is permission hygiene.
Unit 42 recommends a two part mitigation approach: least privilege for deletion permissions and data perimeter controls that restrict access within trusted organizational boundaries. It specifically calls out storage.buckets.delete for Google Cloud, DeleteBucket for AWS, and Microsoft.Storage/storageAccounts/delete for Azure.
1. Restrict Bucket Deletion Permissions
Bucket deletion should be treated like a sensitive production change. It should not sit inside everyday developer, service account, or application roles unless there is a documented reason.
Practical steps:
- Remove storage.buckets.delete from broad Google Cloud roles where possible.
- Restrict s3:DeleteBucket in AWS identity policies and service control policies.
- Require privileged access approval for Microsoft.Storage/storageAccounts/delete in Azure.
- Avoid giving deletion permissions to service accounts used by applications.
- Review deletion permissions quarterly for production and logging destinations.
-
Use separate lifecycle management roles for controlled decommissioning.
This is a good place to use vulnerability management thinking, even though the issue is architectural. The risky condition is measurable: which identities can delete storage destinations used by active streams?
2. Build a Data Perimeter
A data perimeter limits where cloud resources can send data. Even if an attacker hijacks a name, the data should not be allowed to leave the trusted organization boundary.
For AWS, Unit 42 points to data perimeter policies using service control policies and VPC endpoint policies to prevent workloads from writing to S3 buckets owned by external accounts. For Google Cloud, it points to VPC Service Controls to block API calls that access Cloud Storage buckets outside the perimeter.
Azure teams can use tenant controls, Azure Policy, private networking, and monitoring around storage destinations. The key idea is the same: do not let sensitive streams write outside approved accounts, projects, subscriptions, or tenants.
3. Use AWS Account Regional S3 Namespaces Where Possible
Unit 42 notes that AWS account regional namespaces for S3 buckets can remove the cross account name reclamation vector by scoping bucket names to the owning account and region. If another account cannot reclaim the deleted bucket name, the attack path becomes much harder.
This is one of the cleanest defenses for AWS environments. It changes the namespace assumption instead of only adding monitoring around it.
4. Monitor Bucket Deletion as a High Severity Event
Most organizations generate a lot of cloud noise. That is why the monitoring logic should focus on high value destinations, not every test bucket created by a developer.
Monitor these events closely:
- Google Cloud: storage.buckets.delete on buckets used by logging sinks, Pub/Sub destinations, or transfer jobs.
- AWS: DeleteBucket on S3 buckets used by replication, Firehose, logs, or backups.
- Azure: Microsoft.Storage/storageAccounts/delete on accounts used by diagnostic settings.
- Any deletion followed by recreation of the same name outside the expected account, project, subscription, or tenant.
-
Any router resource that points to a missing or recently recreated storage destination.
A strong extended detection response XDR setup can help connect identity behavior, cloud audit events, and data movement into one investigation view.
Hoplon Insight Box
Hoplon Insight: Do not treat logging buckets as ordinary storage. Treat them like security infrastructure. A bucket receiving audit logs, replication data, or diagnostic exports should have stricter deletion controls than a normal application bucket.
Recommended actions:
- Create an inventory of all stream destination buckets.
- Tag every bucket used by logs, backups, telemetry, replication, or diagnostics.
- Remove standing deletion rights from normal admin roles.
- Alert on deletion attempts against tagged buckets.
- Test whether your cloud environment blocks writes to external accounts.
- Review abandoned sinks, replication rules, transfer jobs, and diagnostic settings every quarter.
MITRE ATT&CK Mapping
The cloud bucket hijacking attack can be mapped to several MITRE ATT&CK techniques, depending on the exact path. MITRE’s T1530 covers adversaries accessing data from cloud storage, while T1537 covers transferring data to a cloud account controlled by the adversary.
| Tactic | Technique | Why It Fits |
|---|---|---|
| Initial Access | Valid Accounts | The attacker may begin with a compromised cloud identity |
| Discovery | Cloud Storage Object Discovery | The attacker may identify bucket destinations and storage assets |
| Privilege Escalation | Abuse of overprivileged roles | A broad storage role may enable deletion without stream update rights |
| Collection | T1530 Data from Cloud Storage | The attacker may collect logs, telemetry, or objects |
| Exfiltration | T1537 Transfer Data to Cloud Account | Data may flow into an attacker controlled cloud account |
| Defense Evasion | Log stream manipulation effect | The attacker may redirect audit visibility without editing the sink directly |
Realistic Attack Scenario
Picture a mid sized SaaS company running workloads in Google Cloud and AWS. The security team has centralized logs, but operations teams still manage storage with broad admin roles. A contractor account gets phished. The attacker does not have permission to edit log sinks, but the account has permission to delete storage buckets in one project.
The attacker lists buckets and finds one used for long term log exports. They delete it and quickly recreate the same bucket name in another account. The log sink still points to the same destination name. New logs begin flowing to the attacker controlled bucket.
The company may not notice right away. Nothing “breaks” in a loud way. The sink still exists. The name still resolves. The attacker now sees future logs, including signs of internal investigation, access reviews, and maybe credential rotation steps.
That is the real danger. The attacker is not only stealing data. They are watching how the defenders respond.
Common Misconceptions
One common misconception is that this is only an AWS S3 problem. Unit 42’s research shows the technique across Google Cloud, AWS, and Microsoft Azure, although each platform has different limitations and mitigations.
Another misconception is that encryption alone solves the problem. Encryption helps, but logs and telemetry may still contain useful metadata. Also, if the pipeline writes data in a form the destination can store, the attacker may still receive valuable records.
A third misconception is that monitoring log sink updates is enough. It is not. In a cloud bucket hijacking attack, the attacker may not edit the sink at all. They may delete and reclaim the destination instead.
Finally, some teams assume only public buckets are dangerous. Public exposure is dangerous, but this research shows another category: trusted private pipelines sending data to the wrong owner.
What Security Teams Should Do This Week
Start with discovery. Find every bucket or storage account used as a destination for logs, replication, transfer jobs, analytics, backups, and diagnostics. Many organizations cannot answer that quickly, and that is the first problem.
Then review deletion access. Ask a simple question: who can delete this destination? If the answer includes developers, service accounts, CI/CD users, temporary contractors, or broad admin roles, reduce that exposure.
Next, create alerts. Do not wait for a quarterly audit to discover a deleted logging bucket. Build high severity alerts for storage deletion events on tagged destinations.
Finally, test data boundaries. A cloud bucket hijacking attack becomes much less useful if sensitive streams cannot write outside your approved organization boundary.
FAQ
What is cloud bucket hijacking?
Cloud bucket hijacking is a technique where an attacker claims or reclaims a cloud storage bucket name that is still used by automated data streams. If the stream keeps writing to that name, data may be redirected to the attacker controlled bucket.
How does bucket hijacking work in AWS S3?
In AWS, Unit 42 demonstrated the risk with S3 replication and Amazon Data Firehose. If a destination S3 bucket is deleted and the same name is recreated externally, configured streams may continue sending data to the recreated bucket depending on the setup.
Can attackers redirect cloud audit logs?
Yes, Unit 42 showed that cloud data streams such as logging sinks and diagnostic exports can be affected. The exact risk depends on provider behavior, permissions, and whether the attacker can delete or reclaim the destination resource.
How do you prevent S3 bucket takeover?
Restrict s3:DeleteBucket, use AWS organization level guardrails, monitor deletion events, review replication destinations, and consider account regional S3 namespaces where available.
Is bucket hijacking detectable?
It is difficult after execution because the stream can continue running and the destination name can still look valid. The practical defense is to detect bucket deletion and suspicious recreation quickly.
What permissions enable bucket hijacking?
The important permissions are storage.buckets.delete in Google Cloud, DeleteBucket in AWS, and Microsoft.Storage/storageAccounts/delete in Azure. Unit 42 recommends restricting these permissions to a minimal set of administrative roles.
Official References
Unit 42, Palo Alto Networks: "The Global Namespace Risk: Universal Bucket Hijacking Technique for Cloud Data Exfiltration" by Yahav Festinger, June 22, 2026.
Google Cloud Documentation: Aggregated Log Sinks Overview.
This article explains what the cloud bucket hijacking attack is, why global namespace risk matters, and how attackers can redirect active cloud data streams without directly editing router configurations.
It covers Google Cloud, AWS, and Azure behavior based on Unit 42’s public research.
It explains IAM risk, detection gaps, compliance impact, MITRE ATT&CK mapping, and practical mitigation steps.
It also includes internal linking ideas for Hoplon InfoSec service pages and a related Hoplon blog article.
Conclusion
The cloud bucket hijacking attack is a reminder that cloud security is not only about patching software. Sometimes the deeper risk lives in architecture, naming systems, and the permissions we forget to question.
For defenders, the takeaway is practical. Know which buckets receive critical data. Restrict who can delete them. Build data perimeters. Alert fast when a stream destination disappears. If your logs are the evidence room, then your log storage destination deserves the same protection as your production systems.
If your organization depends on AWS, Google Cloud, or Azure for logs, telemetry, backups, or data pipelines, now is the right time to review your cloud storage trust boundaries and test whether a deleted bucket could become someone else’s window into your environment.
Was this article helpful?
React to this post and see the live totals.
Share this :