The only mistake AWS made was making buckets originally public by default. It’s been many years since that’s been the case. At this point, you have to be completely ignorant to be storing PII in a public bucket.

> shitty security architecture slapped on AWS

It's literally, and I do mean this literally, 1 click to block all public traffic to an S3 bucket. It can be enabled at the account level, and is on _by default_ for any new bucket. What exactly more do you want?

> It's literally, and I do mean this literally, 1 click to block all public traffic to an S3 bucket.

I'm reasonably certain that for quite a while blocking all public access has been the default, and it is multiple clicks through scary warnings (through the console; CLI or IaC are simpler) to enable public access.

Swimmers on a beach that had lifeguards were dying because the ocean was quite strong and even experienced swimmers would occasionally be drowned.

The city decided to remove the life guards and replace them with signs saying "swim here at your own risk, people die here."

Having a simple classification system like "public" and non public with a system that ensures non public data isn't published might prevent data leaks with automation that checks for publishing non-public data.

A system that let's you publish non public data "with warnings" is just a sign saying "swimmers die here". Its not safe, it just excuses the city from culpability