S3 is not a database, but that's not the point. As explained by Capital One, the attacker gained access through a misconfigured web app. This could have happened on any platform (on-premise or cloud), and the underlying AWS services weren't compromised in any way.
"We do not access or use your content for any purpose without your consent. We never use your content or derive information from it for marketing or advertising"