Yup, that’s correct! While we offer anonymous read-only access to internal buckets (which can be placed over the entire share), we require that buckets that are presented via a proxy server in our DMZ use access keys for the same read-only access.
It would be helpful to have that nested bucket available internally as anonymous if someone were to enter through the higher level bucket URL, but as I think about that, it seems kind of impossible. 