You got hacked? You must have configured it wrong because we already told you it was unhackable; Good luck proving it was our fault not yours.
Seems like it would be incredibly easy to prove that an S3 bucket was misconfigured in such a way that the data was publicly accessible. In fact this has been the case in the recent high-profile cases that I can recall.
The hacker got ephemeral keys by remotely exploiting the WAF. The WAF had no reason to have privileges to read from S3, that was a mistake.
I’m unclear if data in bucket was encrypted at rest but I guess if you get keys to read it’s a moot point.