Buckets are default deny, now. But for many many years they were not, and the defaults almost certainly changed due to the many many examples of "accidental exposure".
I'd love to know what the original architects of S3 think now, looking back, of S3 buckets being globally unique.
AWS has certainly enjoyed a class of vulnerabilities caused by the way they allocate resources and expose them over DNS, but S3 is just a simple namespace.
Can you explain what you mean by "for many years they were not [default deny]"? I've been using S3 for 10+ years and I can't remember a time when they were ever open-by-default.
If you mean there were years where it was dangerously easy to accidentally open up a bucket, you'll get no disagreement from me. But I can't think of a time when they weren't default deny.
