Unless they're highly privileged enough to turn on read access to the bucket, you're fine. Thus, you can contain most breaches of credentials.