Cloudfront with public S3 bucket

 Use OAI so not all object are public in the bucket:

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html