s3 permissions - security hub wants no read only so suggestions

Starting to utilize the security hub feature and they are saying that "S3.2 S3 buckets should prohibit public read access".

So we use S3 for a lot of images, most of already in cloudfront, but when I turn off public, even the cloudfront fails. The recommendation is really no help, just says to turn it off, so I am trying to figure out the best practice to roll out to all our S3 buckets.

As I said, most are images that goto cloudfront, there are some other uses that I can look at, but I want to get those resolved from security hub and still allow the images to work.

Thanks.