Amazon S3 - private file is still downloadable for everyone?

Check your bucket policy by going to bucket, then click on Properties and Edit Bucket Policy. If you have something like this:

    {
        "Sid": "Stmt1391783519913",
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": [
            "s3:GetObject",
        ],
        "Resource": "arn:aws:s3:::bucket/*"
    },

it means that you are allowing everyone to download every files in this bucket.

According to the document:

If an account has access to resources that an ACL or policy specifies, they are able to access the requested resource.

That is the reason why an anonymous user can still open/download your files.

You can prevent it by adding a new policy like below:

    {
        "Sid": "Stmt1395306106592",
        "Effect": "Deny",
        "Principal": {
            "AWS": "*"
        },
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::bucket/some/path/*.ext"
    },