Should ACL option be excluded if cdnPath is specified?

[ffxsam]

S3 buckets behind a CDN don't need public read access at all. So when I try to deploy to my S3 bucket, I get "access denied" because the putObject call is doing ACL: 'public-read'.

There's also another bug where if you specify a cdnPath like this:

cdnPath: https://cdn.site.org/subfolder

the files get put at the root level in the S3 bucket, e.g. v1.0/file1.js rather than subfolder/v1.0/file1.js.

I'm happy to open PRs for these.