You could use presignedURL to do that:

1. Send a request from client side to server side to generate presignedURL (server side will authenticate and process where the file will be placed,... )
2. After that, server will send back to client side a presignedURL with a timeout setting. Client side will use that URL to make a request to upload file directly into S3

You maybe ask about the file information (size, metadata,... ) You could get that information and send to server in the first request. It means you will send the file information in the request which send back the presignedURL. At that process, you could verify something such as:

• Is client side domain in your system?
• File type in the acceptance list?
• ... etc

Note:

• Maybe we would need to verify some properties in both client side and server
• If you uploaded many times with the same presignedURL. It would replace the old one
• Maybe you need another service to check the file content (in case end-user uploads sensitive file or something like that)

I hope my idea could help you