Am I missing something about all these S3 fiascos?
Just how do you DO that? You have to actively make a bucket or object public, S3 will bitch at you "are you certain?" and then it constantly has a reminder/warning "blabla you have public buckets/objects, this is not secure, you may want to reconsider blabla".
That's in the console obviously, but frankly I have the nagging suspicion that those who commit these blunders would be out of their depth using CLI/SDK anyway.
So, just how incompetent are your cloud monkeys that this happens all the time? Is that a rhetorical question?
Yes, your static website has to be public, but does anybody use that for anything but error failover with a few HTML pages?
Bucket policies, IAM policies... there's bloody wizards that do hand-holding for the CLI/JSON impaired!
Just don't get it.