Object storage security (AWS S3, Azure Blob, GCS) requires: blocking public access, bucket policies for least-privilege, server-side encryption, versioning, access logging, and MFA delete.
Misconfigured S3 buckets have exposed billions of records. AWS S3 Block Public Access setting should be enabled by default at the organization level. Monitor for public bucket creation with AWS Config/GuardDuty.