But I cannot figure out what should the ACL on AWS.S3.PutObjectRequest be when I upload to s3 bucket. Possible values: "private"|"public-read"|"public-read-write"|"authenticated-read"|"aws-exec-read"|"bucket-owner-read"|"bucket-owner-full-control"
Using JavaSript SDK Currently I have "public-read", I know I should change this, but I am not sure which is the best for this case. My initial thought is to "private".
private is correct, though not strictly necessary, since that's the default behavior. Specifying no ACL or specifying the "private" canned ACL is exactly the same.
private | Bucket and object | Owner gets FULL_CONTROL. No one else has access rights (default).
https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl
"No one else has access rights" actually means No one else has access rights granted by the ACL since the bucket owner can grant access to objects it owns using the bucket policy (or IAM user/role policies, though that isn't applicable to an Origin Access Identity, which is granted access via the bucket policy).
