Ran into the same problem, and also found a possibly related issue from October 2020. S3 IP address ACL broken
I would get 403 errors from S3 using the suggested bucket policy under “Configure bucket policies to allow Cloudflare IP addresses” in this support article: https://support.cloudflare.com/hc/en-us/articles/360037983412-Configuring-an-Amazon-Web-Services-static-site-to-use-Cloudflare
Fwiw, the article shows updated 1 month ago.
In addition to unchecking all of the “Block Public Access” checkboxes in the bucket permissions, flipping “Deny” to “Allow” seems to work.
Change: "Effect": "Deny",
To: "Effect": "Allow",
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<YOUR-BUCKET-NAME-HERE>/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"2400:cb00::/32",
"2606:4700::/32",
"2803:f800::/32",
"2405:b500::/32",
"2405:8100::/32",
"2a06:98c0::/29",
"2c0f:f248::/32",
"173.245.48.0/20",
"103.21.244.0/22",
"103.22.200.0/22",
"103.31.4.0/22",
"141.101.64.0/18",
"108.162.192.0/18",
"190.93.240.0/20",
"188.114.96.0/20",
"197.234.240.0/22",
"198.41.128.0/17",
"162.158.0.0/15",
"172.64.0.0/13",
"131.0.72.0/22",
"104.16.0.0/13",
"104.24.0.0/14"
]
}
}
}
]
}
With the above bucket policy in place and no other deviations from the Cloudflare support article things are working. Public access to my bucket seems to be disallowed, and only Cloudflare IP’s can access it. It feels a little strange not having any Deny rules in there, but seems to be implicit. The S3 console shows the big red “Public” warning, but the bucket policy does not allow public access.
I think there’s something about access to objects by the owner who uploads them, but I got a little lost in that AWS documentation. 