phenomlab Short answer is, we don’t know. (longer answer is remarkably similar)
We are reading between the lines a LOT here - little is actually known, and while I am seeing a lot of reports on modsecurity, the role IAM permissions, and ssrf, I have yet to see any actual, validated sources for this.
Was modsecurity used alone (difficult to do), with a reverse proxy such as nginx (most probable configuration, particularly given some deployment models, such as kube, will spin up such a thing for ingress NLB) or was it actually a modsecurity module installed to an actual webserver?
We have no real reason to presume the FBI meant “NLB” when they said “Firewall”; they may have HEARD “WAF” and extrapolated, but WAF on a webserver is still WAF (and doesn’t break some models such as client certs that use of an inline appliance WAF would break). If the instance really WAS a webserver, then it may have been correct that it had access to buckets containing data (because it needed to serve that data, which is the point of a webserver, really)
Without knowing quite a bit more (and we don’t even know what ssrf was allegedly exploited in modsecurity) we don’t know if there was an actual misconfiguration, an architecture choice that in retrospect wasn’t the best (such as not using a separate WAF) or an undocumented bug that is going to be announced once a patch is ready….