Re: Ok, the lesson to learn here . .
It's quite sad, really. When I set up (our) S3 bucket, obscure as some of the optional configurations were, I made it a point to go through them, learn what they did, and set accordingly. As a result my bucket was 'Can be public' from Day 1 of the privacy testing tools rollout, a decent setting.
So some "tech" support, with far more responsibilities and (supposedly) far more training than me, yet far less real-world intelligence, pushes a few buttons and stamps "Done!" to the project. If they are assigning the project to the PFY then they only have themselves to blame for not following up on assurance; if the BOFH is causing these muck-ups then one must, frankly, question their compensation levels.