The _really_ fun bucket squatting attacks are when the cloud providers themselves use deterministic names for "scratch space" buckets. There was a good DC talk about it at DC32 for AWS, although actual squatting was tough because there was a hash they researchers couldn't reverse (but was consistent for a given account?): https://www.youtube.com/watch?v=m9QVfYVJ7R8
That was an amazing talk, thanks for sharing! I could see the writing on the wall as soon as I saw the bucket names were predictable. Bucket squatting + public buckets + time of check/time of use in the CloudFormation service = deploying resources in any AWS account with enough persistence. I'm surprised this existed in AWS for so long without being flagged by AWS Security.
GCP, however, has does this to itself multiple times because they rely so heavily on project-id, most recently just this February: https://www.sentinelone.com/vulnerability-database/cve-2026-...