The Amazon Web Services identity and access management ( IAM ) mechanism is complex, and not fully understanding its particularities often leads to misconfigurations and exposed cloud assets. Researchers from cloud security firm Lightspin identified quirks in S3 bucket permissions that appear to be a common source of confusion among administrators.
Source : AWS access control confusion enables cross-account attacks