Logs

Check whether log metric filter and alarm exist for S3 bucket policy changes

Security

Check the S3 bucket CloudTrail logs to is not publicly accessible
Check if S3 buckets have default encryption (SSE) enabled or use a bucket policy to enforce it.
Check if CloudFront distributions are set to HTTPS
Check if CloudFront distributions have Field Level Encryption enabled
Ensure your S3 buckets have policies which do not allow WRITE access
Ensure that no public access buckets are created and that they are using S3 Bucket or IAM policies.

Sources

https://docs.aws.amazon.com/AmazonS3/latest/dev/Welcome.html
https://www.xplg.com/s3-security-buckets/