Question
A researcher reports that an S3 bucket holding nightly **analytics exports** (CSV dumps that include hashed-but-reversible-where-weak PII and internal metrics) is **publicly listable and readable** — `s3:ListBucket` and `GetObject` granted to `*`. Access logs show steady anonymous GET traffic from varied IPs over the past ~9 days, downloading most objects. A recent IaC change to 'make the bucket accessible to the BI tool' added a broad bucket policy instead of a scoped one. No alarm fired because nothing was 'breached' — it was just open. How do you triage what's exposed, contain it, and prevent the class of mistake?
Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.