AWS introduced account-regional namespaces for S3, fixing global bucket name collisions that broke IaC automation for 18 years. New format: {prefix}-{account-id}-{region}-an. CloudFormation gets the BucketNamePrefix property, and IAM gets the s3:x-amz-bucket-namespace condition key. Prevents confused-deputy attacks by making names unpredictable when there is no account ID. By Steef-Jan Wiggers