In the end, I had a separate bash script that adds the correct ACL to the files created by Redshift.
S3_BUCKET="bla" UNLOAD_FOLDER="path/to/bla" for i in $(aws s3 ls s3://${S3_BUCKET}/${UNLOAD_FOLDER}/ --recursive | awk '{ print $4}'); do echo $i ; aws s3api put-object-acl --bucket %s --region us-east-1 --key $i --acl bucket-owner-full-control; done done