It’s a bad idea to leave your S3 perms wide open, because then anyone can use your S3 bucket for whatever reason they want, and it’ll hit your wallet. And if they can’t figure out basic IAM and ACLs, I’m also betting they can’t figure out “requester pays”