We have an application that is somehow able to list the contents of an S3 bucket even though there is no policy on the bucket. Based on my understanding of s3, it should default to deny and this not be the case. Is there another way this could be happening. The application is doing a simple curl to the endpoint, not passing any credentials.We have an application that is somehow able to