AWS added an excessive s3:getObject permission to AWSSupportServiceRolePolicy
IAM policy used by AWS Support teams, and removed it a day later.
None required, though best practice would be to use KMS-CMK for bucket
encryption and minimize privileges in resource policies.
No tracked CVEs