> I kept it at 10 requests per second because I was not trying to DDoS anyone.

You can't really DDoS S3 on a $20 node.

> AWS does not tell you when your bucket is being scanned.

I wonder if that even makes sense; the "scanning" is just a single request to a public bucket, and they can't infer that the bucket isn't supposed to be public. In theory AWS could flag the IP that's sending requests to thousands of buckets.

If the claim is true, please report them all to AWS, even if AWS closes off accounts automatically.

All personal data at risk due to their incompetence at cloud engineering is too dangerous to go unaffected.