Also looking for a solution here.
A fairly standard (and recommended by AWS) configuration is to never have a public s3 bucket/objects, and if you need to serve objects publically, do it through a Cloudfront distribution.
The current s3 implementation forces public s3 bucket access (through this issue, as well as S3 CDN URL ignored when uploading into posts), which is recommended against - for security and costs.