My take on this is that our responsibility for S3 advice is about the same as our advice on things like TLS configs (which we do update on occasion). We should try to stay “safe by default”, because we know that just about everyone’s going to blindly use whatever we suggest, because very few people know what any of this magic actually does. Our as-close-to-official-as-we-get guide on setting up S3 does suggest using the wide-open policy, so I’ll fix that up to be more sensible.
@Asher_Densmore-Lynn: if you find any other examples of problematic IAM policies floating around anywhere we can control (here on meta, git repos under the discourse
GitHub user, that sort of thing), feel free to let us (me) know (with a specific reference to what’s problematic; everyone’s Google search results are different), and I’ll get it fixed.