Most S3 security incidents come from misconfiguration. From 2017 to 2023, dozens of large-scale data breaches were caused by "misconfigured S3 buckets." US military classified documents, a major airline's customer data, and the medical records of millions of people were exposed from S3 buckets left open to the public. In many of these cases, the cause was granting Allow in the bucket policy while turning off Block Public Access.
This article follows the internal logic of how S3's five access-control layers are evaluated, and covers the key-management structure and real differences of each encryption method