Recently I came across multiple AWS S3 buckets with directory listing enabled. The content in the buckets ranged from simple images & js files to images of aadhaar ID, PAN cards, etc.

Whats the reason ?

Security is a non-functional requirement of business. What I have seen so far is that if a developer gets an idea, he/she will work to implement the idea without thinking much about the security of the product. But in the long term when the product matures, even small misconfigurations could lead to huge security vulnerabilities.

Whom to blame if the S3 bucket is public ?

Amazon does a very good job in showing if a bucket is public or not. When a bucket is made public, you can see a tag under “Permissions” which says that the bucket is public.