In section S3 ACL access policy, about 9 mins into it, even though there is explicit deny all, the public object can be accessed using the https url. The explanation was that because it does not go through the authentication mechanism. But in section Forcing Encryption using S3, a bucket policy was used to force the access only through https. Why does the bucket policy apply in one case but not another?
In the S3 ACL lesson the deny all is not a bucket policy, it is an IAM policy. As such it cannot affect non IAM users. The bucket policy allows anyone to get the object, even unauthenticated users.
In the Forcing Encryption using S3 lesson, they use a bucket policy to again affect unauthenticated users.