The description of the IAM policy for S3 uploads and downloads in the app bucket states that "This policy’s effective permissions will allow all authenticated users to read objects from the root of the bucket and any /protected path, but only allow users to read their own private sub-path and write to their sub-path within the protected path." (my styling)
Instead the policy clearly also permits PutObject and DeleteObject from the /public/* path:
Indeed, with the modifications to the app proposed in the next step, the user's profile photo gets uploaded to this path and not to the /private path where the permissions won't allow other users to see or change other users profile photos.
The description of the IAM policy for S3 uploads and downloads in the app bucket states that "This policy’s effective permissions will allow all authenticated users to read objects from the root of the bucket and any /protected path, but only allow users to read their own private sub-path and write to their sub-path within the protected path." (my styling)
Instead the policy clearly also permits PutObject and DeleteObject from the /public/* path:
Indeed, with the modifications to the app proposed in the next step, the user's profile photo gets uploaded to this path and not to the /private path where the permissions won't allow other users to see or change other users profile photos.