[stryk]

We hear about these mis-configurations leading to publicly-viewable things that shouldn't be publicly viewable all the time. This makes me wonder what is the default security setting? It seems like -- and this is from the outside looking in, I have little experience with AWS -- whatever the default is, it's not nearly strict enough. Shouldn't the default config be pretty restrictive for security's sake? Or is this a case of trying to dumb it down in the name of "usability" or "streamlining the UI" or some other marketing fluff crap (aka "for people who don't/won't/can't RTFM")?

[closeparen]

The default is private to the owning AWS account. You’re meant to generate short-term tokens in your backend code to authorize specific requests, embedding them in the URLs you pass to others. People who are abusing S3 as a substitute for Dropbox or Google Drive (or using it from any context other than custom server-side software) won’t do that, so they set resources as public to make things work.

[aptwebapps]

I just checked, and the default for creating a new S3 bucket through the console is not public readable. However, getting the right permissions in place for real-world work is not trivial if you haven't put some time in the docs so I suspect people end up shoving wild cards and the like in their access policies.