that's the reason why should always use aws:kms encryption on s3.

Wait what? This conflates two entirely unrelated things.

Nope, because you just get a 404, even on public buckets, because you have no access to the kms key.

I know from your absolute conviction on this (coupled with LOTS of experience with people who have absolute conviction about stuff) that your own conviction is preventing you from seeing valid uses for this, and is potentially keeping you from seeing the 100% of the landscape you're professing about.

Sorry, I cannot follow.

To be clear, I'm no aws advocate.

There are real uses for AWS Buckets that are public and cost you money. Distributing files, acting as a webhost, anything that you’d use dropbox with link sharing for.

Yes, it sucks if someone randomly decides to download files from you all day. You should probably set your budget to alert and attempt to blacklist them when it happens. That’s rare, though, and aside from a few cases of actual malice, the convenience is worth the cost.

Not the poster, I assume their comment is in response to your

“Always”

You know that AWS is frequently used as (and has an entire product for use as) a CDN, right?

using s3 as a cdn is a complete different thing than leaking intentionally credentials.

He "leaked" credentials which only allow reading, which makes it effectively the same thing as a CDN, except that instead of needing a URL, you need a tuple of URL and access token.