Setup the bucket with webapp user that can upload / download make links.
First off we need to create a user in amazon IAM for our webapp to login as. Do this through the console and take note of its ARN, use the keys to login.
Next create the S3 bucket and configure it to only allow that user. This is done in the bucket policy as in the screenshot below. It would be nice if this could be done without code, but the IAM user doesnt show up in the list of users.
Now you should be able to generate pre signed urls to provide short lived links users, as described in the amazon docs.