All object access to objects encrypted with SSE-KMS requires IAM permissions to decrypt, regardless of the ACL settings (which only controls the get/put actions, not encryption). You have two options, don't use default bucket encryption and only encrypt objects that are not going to be public. Or use two buckets, one with default bucket encryption for private objects, and one without for public objects. You might also try using SSE-S3, which doesn't require IAM permissions to decrypt, but may require the request to be signed with SigV4 (I haven't tested this).
Thanks for your quick answers. I'll try to encrypt only private files and disable default bucket encryption. Too bad we cannot do the opposite and decide not to encrypt some objects
All GET and PUT requests for an object protected by AWS KMS fail if they are not made via SSL or TLS, or if they are not made using SigV4.
How to read S3 object from encrypted S3 bucket using ebextensions files?asked 2 years ago
encrypted db snapshot restore from S3 not working AWS RDS(mysql) console in an S3 bucket.asked 6 months ago
How to determine if an object is encrypted with a "regular" S3-SSE KMS key, or an S3 Bucket Key with S3 Inventory?Accepted Answerasked 2 years ago
Use KMS grant to access to encrypted KMS - CMK S3 bucketasked 6 months ago
Cross Account Copy S3 Objects From Account B to AWS KMS-encrypted bucket in Account Aasked 8 months ago
Is it possible to use artifacts in an S3 Bucket From a Different Region To CodeDeploy Applicationasked 7 months ago
Is it possible to access to a public image in an KMS encrypted bucket without signatureasked 10 months ago
Storing Application Load Balancer access logs in a KMS-encrypted S3 bucketasked 4 years ago
Is it possible to use a private S3 bucket for an OIDC provider?asked 11 days ago
grant access to one role in another account to all objects in an S3 bucket?asked a year ago