Got the message below from AWS. Some buckets look fine, like static.synapse.org. Others I'm not sure about, like external.bucket.test (there should be no test objects in prod) and access.record.by.month.sagebase.org (scary!). Please review and make sure there is no security hole. Delete any unused/stray buckets.
We’re writing to notify you that your AWS account 325565585839 has one or more S3 buckets that allow read or write access from any user on the Internet. By default, S3 buckets allow only the account owner to access the contents of a bucket; however, customers can configure S3 buckets to permit public access.
Unless you have a specific reason (such as hosting a public website) for this configuration, we recommend that you update your bucket and restrict public access. Your list of buckets configured to allow access by anyone on the Internet as of August 9, 2019 are: