@Stephen Certainly up for interpretation…
To me it seems “broken” that it uses the CDN url in one instance and not the other, and it forces an S3 configuration that AWS actually recommends against (public ACL for an s3 bucket).
I’m new to the Discourse project in general, but can certainly work on a PR.