The last S3 Security document that you will ever need

It is a 160 Page PDF on S3. If you are putting any confidential information in S3 you need to see the S3 service map in the PDF on page 3. All the different access points and places you can set an ACL... All the bolt on services that keep on piling on starts to show the age of the service.

https://github.com/trustoncloud/threatmodel-for-aws-s3/raw/m...

Here is a nice threat:

Etags includes the MD5 of the file but not consistently and can be used by developers to verify the integrity of a file. An attacker can affect an upload function to change the etag of a file, in order to disrupt a workflow downstream.