Why does s3 return 403 and not 404?

S3 is an object storage service with abilities of serving a website. Sometimes, when an object isn't available, it sends 403 instead of 404.

The motivation behind is to prevent brute force attacks such as trying various names of objects in the bucket, and figure out what objects are present. In case of 404, attackers will retry by changing names and find if the objects exist or not.

Hence it returns 403, and the attackers can't retry random names.

It's a kind of resource enumeration attack where attacker will try random names to find valid objects.