Lightspin said the issue could be partially attributed to potentially confusing definitions provided by vendors for some access options, such as the “Objects can be public” option in AWS, which could leave businesses unsure as to whether the objects are secure. In addition, AWS evaluates access permissions of every file at the bucket level instead of the object level, causing the object’s Access Control List to not be considered, according to Lightspin. The report showed that 40% of S3 buckets they assessed have been attached with the “Objects can be public” definition while 4% are defined as public.