The policy in question had “s3:GetObject” permission to “*” added for a few hours. And CloudTrail logging doesn’t capture GetObject API requests by default. This role is specifically for metadata only access. Yes, service teams have behind-the-scenes escalation tools for bugs on the backend, but the more numerous front-line support staff should only be able to view metadata. The GetObject permission would have let them view actual potentially sensitive data.
The problem is nobody who is getting upset about this had any reasonable expectations to begin with. They're just now realizing they might need to protect their data against attackers inside AWS, and now they're caught with their pants down, so cue the hand-wringing.
