Published but unread
That's not much of an endorsement of the AWS Security books that they publish.
Misconfigured Amazon Web Services S3 buckets belonging to McGraw Hill exposed more than 100,000 students' information as well as the education publishing giant's own source code and digital keys, according to security researchers. The research team at vpnMentor said they discovered the open S3 buckets on June 12, and contacted …
They ARE secure by default with only the private owner account having access - adding public access requires permissions to be granted by an administrator.
However a combination of the JFDI approach to problem solving and admins assuming they are JUST granting filesystem permissions and something else will manage security (i.e. the typical on-prem model) means mistakes are made.
"There's a hole in my bucket, dear Liza, dear Liza..."
A common problem is that client side devs disable the security to get their applications working, and then neglect to enable it again before they go live. Sometimes, they develop applications that won't even work with security enabled.