That happens when you disable directory enumeration (or whatever name that has) on S3. In that case, it sends 403s (permission denied) instead of 404s.
I know, but try explaining that to someone in very small words. There is no admin. There is no login. The api has open CORS because we want reuse and there’s no risk because there’s literally no concept of identity in the app. Everything is public data or f(public).
Scanners see things through their eyes, and they’re not used to static/public.
I the end, It was easier just to rewrite 403 into 404.
They freaked out when /admin/ returned permission errors, essentially a 404, because it was information leakage about admin functions of the website.