Do I need to enable Public Access when only 1 IAM user can access S3 Bucket?

This is the set-up I want to have:

• I want to use Amazon S3 bucket to store all photos uploaded by users in my App.

• None of these photos should be accessed by public. These are all secured photos and only authorised users can view them and no users will ever be able to access them directly from S3 bucket.

• Each time a user wants to view a photo, their GET request will reach my server's api route, which will do the authorisation check, and if they have permission, my server will contact S3 bucket, fetch the image and then my server returns this image back to the user.

Basically, my app users will never reach the S3 bucket directly, only my server is authorised to reach S3 bucket to GET, PUT and DELETE and no one else should be able to see anything in my S3 bucket.

This is what I have done so far:

1. Created IAM User with "AmazonS3FullAccess" policy.

2. Disabled all public access in my S3 bucket.

3. Created the following bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::myapp"
            ],
            "Principal": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::myapp/*"
            ],
            "Principal": "*"
        }
    ]
}

What Happens?

1. When I paste the above, I get the Access Denied error.

2. When I searched SO on this, the answers recommend that I should uncheck "Block public access to buckets and objects granted through new public bucket policies"

3. When I uncheck the above, Amazon console keeps showing warning that it is not safe to provide public access to my bucket.

4. Although I am able to save the above bucket policy after enabling public access, the warning about having public access shown in the console is worrisome.

So, I really don't want to allow public access at all in my bucket. I only want my Laravel application in my server that uses the IAM credentials to access and fetch the images and no one else should have access to this S3 bucket.

I have read many links on this but I am still confused here.

My questions are:

1. In my use case, Should I need to enable Public Access to my bucket if I only want to allow 1 IAM user to access the bucket listing programatically?

2. Do I even need to set Bucket Policy? Since I have already set a policy when I created the IAM user, isin't that enough?

3. If I need to add a Bucket Policy as well, do I leave the Principal as * or do I need to add the User ARB here?

4. Am I able to add the Bucket Policy without enabling Public access?

5. Am I safe to do it with the above steps or am I missing something?