@k. it is a great question. I don’t have any problem giving the policy to be publicly accessible. Setting it to be publicly accessible means my bucket can be served directly via either S3, Cloudfront, or any other CDN. So Cloudfront here is served as a CDN to enhance the delivery and you can replace it and any other CDN as convenient. If you are concerning about direct access to S3, you can set a policy to make your s3 only accessible by Cloudfront.