It should be noted that it is possible to apply rules to individual objects in a bucket policy by specifying the specific object as the resource in the bucket policy as opposed to using /*. Whether this is better or worse than using ACLs, I’m not sure. Does AWS have a recommendation?
This is mentioned in the Cloud Guru S3 Masterclass. Although you can specify individual access controls rules for objects within a Bucket Policy, it becomes hard to manage. Especially if you have thousands of objects in the bucket. You would likely exceed the 20kb limit for the Bucket Policy. Therefore, Bucket ACLs are better suited for access control on individual objects.