Acho que isso responderá à sua pergunta:
Desça e comece a ler na resposta de Michael Fisher.
DO NOT hardcode your key on the client. The right way to do this is (via a secure channel) to deliver a pre-built request with an encrypted signature -- this signature can be built with the API provided by S3.
You can extract the composition of the encrypted signature reqest from one of the request objects in the S3.cs class (I am referring to the C# implementation - not sure which you are using but they should be pretty analagous). Then have your client securely request the object from your server side, and rather than spit back the object, spit back the formated request. I believe this is the most secure technique, assuming again that you've properly secured the channel (SSL, or whatever scheme you choose).