@jonty The bucket names are not really secret, as you can make URLs up using them as part of the domain. This is a huge monetary risk for all AWS customers using S3 and doesn't give much credence to the "Shared Responsibility Model" that AWS use whenever they are blamed for security issues.