In the company I work for, we're using Tachyon and want to maintain the bucket as private. I have validated that it is possible to do that by changing the S3 method from makeUnauthenticatedRequest to makeRequest, keeping all options as they are.
It should be commented that, by adding this option, the user must configure a role for the Lambda Function to be able to fetch data from the S3 Bucket.

I have written code to allow this, but have no permission to push to a new branch. I would be happy to send it to any maintainer.

@brunomoutinho if you fork S3 Uploads to your account, you can push a new branch up there :)

Have done that! Now there's a PR open here: #108

@joehoyle I think there is no need to update the CF template as it already has the Role to be used by the lambda. What could be done is restricting the permission to read to the Bucket of the uploads. What do you think?

@brunomoutinho oh yeah good point. That's I think outside of the concerns for Tachyon, and more to do what you have writing to S3 (In our case, that's the S3-Uploads WordPress plugin).

Tachyon does not create the bucket, so I wouldn't expect it to dictate permissions for the bucket or public access.

I think I expressed myself the wrong way.
Right now Tachyon has, in the CF template, the LambdaFunctionIAMRole resource, which creates the role to be used by the Lambda Function. The S3 bucket, from the code I have created, can now be private, and the Lambda Function currently has permission to read from any bucket for the account.
Maybe it would be good, as you suggested, to narrow that to the UploadsS3Bucket parameter. I can open a PR for that, if you agree it's a good addition.

Ohh yeah sorry I missed it wasn't doing that. So all the things I suggested you improve in your example policy we were actually also making those mistakes in our codebase :D sorry! A pr would be great to address that.

@brunomoutinho might've been added since but we now support the environment variable S3_AUTHENTICATED_REQUEST to switch between using makeRequest and makeUnauthenticatedRequest. Set that variable to the string true to use authed requests.

We've also added initial support for private uploads via signed URLs though I'm not it's documented yet.

@roborourke It has been added, that's right :) I have created the issue and the PR to complete it, but I might have missed on closing this... I'm not fully aware of how things should go 😅
Anyway, this issue might be closed based on this PR: #108

Ha! Yep that was you 😬 I'll close this out, thanks again.