What's the recommended permissions configuration for AWS S3 media storage?

I’m hosting assets for Craft 2.9.3 site on AWS S3.

I’m trying to figure out how to give the site (and its users) access to the files without making them broadly publicly available.

I found a suggestion for the right User/Group permissions here. Those are:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "s3:ListAllMyBuckets"
        ],
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucket",
            "s3:PutObject",
            "s3:GetObject",
            "s3:DeleteObject",
            "s3:GetObjectAcl",
            "s3:PutObjectAcl"
        ],
        "Resource": [
            "arn:aws:s3:::bucketname/*"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucket"
        ],
        "Resource": [
            "arn:aws:s3:::bucketname"
        ]
    }
]
}

I attached this policy to an IAM Group, in which the IAM User is a member. I am using that IAM User’s credentials on Craft 2 for access to the files.

However, I get a ‘Access denied" error. The only way I’ve found to get rid of that error is to grant full public access to the bucket. It doesn’t seem right to me that the files are publicly accessible. On the site itself only logged in users have access to many of the assets in the S3 bucket.

Have I missed a step somewhere in this configuration?

UPDATE 20201020

I tried a User policy generated by the tool Billythekid provided in the comments. The policy it created was:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads",
        "s3:GetBucketLocation"
      ],
      "Resource": "arn:aws:s3:::MY-BUCKET"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:GetObjectAcl",
        "s3:GetObject",
        "s3:PutObjectAcl",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::MY-BUCKET/*"
    }
  ]
}

After applying this policy to the User, I still get AccessDenied error from AWS when trying to access the file from the site. Yet when I run the appropriate tests in the IAM Policy Simulator, everything is accessible as expected.

The only way I’ve found around this is to set a policy on the bucket which grants public access (e.g., a policy that has "Principle": "*" field/value in it, along with the necessary actions, etc.

As a workaround, I’ve set a aws:Referrer condition, so that only the site in question can reference the files.

So I am back to my original question … How does one set up AWS S3 for Craft without granting public access to the bucket? For example, I don’t have this issue when I give WordPress storage plug-ins AWS S3 storage access (i.e., public access is blocked, and WordPress doesn’t get an access denied error from AWS.