S3 is not a database, but that's not the point. As explained by Capital One, the attacker gained access through a misconfigured web app. This could have happened on any platform (on-premise or cloud), and the underlying AWS services weren't compromised in any way.