Re: S3 bucket default is *private* to that account
"The fact that AWS was said to send out reminders of misconfiguration"
I'm not sure how often AWS do this in all honesty. I've had one, about a month ago, in 5 years of using AWS (and we've had deliberately open buckets for about 2 years, because we have developers who can't cope with authentication and we're publishing it to the Internet anyway).
Securing s3 buckets properly is hard though. Configuring vpc access only involves modifying the subnet routing table and setting deny rules on the bucket security groups. I bet I'm one of the very few have actually done this.
And then a whole load of AWS stuff stops working (lambda, for example, until recently - the new AWS toys are released without VPC support initially).
And then you get into all the Big Data and EMR stuff, which doesn't support application level encryption.
Redshift Spectrum, a Data Warehouse technology, launched without (and still doesn't have) encryption or VPC support.
The combination of AWS products not understanding encryption and not understanding VPCs leads the lazy to rely on just IAM, and IAM is so easy to get wrong. As I've said before here, their documentation often recommends grant * to *, which isn't helpful.
Security comes through multiple layers. In their rush to get products out AWS tend to start without those layers.
Biting the hand that feeds IT
