I have a S3 bucket with an event notification triggering a Lambda function. Whenever a file is uploaded to the S3, the Lambda function will go through AWS Systems Manager which is built in to most EC2's including Windows, to use Powershell to call a AWS Cli copy job to the EC2 folder that you define.

As far as the IAM roles go, the Lambda function will need AWS Systems Manager access e.g. "AmazonSSMFullAccess" policy which is likely too much but it'll work, along with S3 access to read the objects. Your EC2's IAM role will need the minimum following policies: "AmazonSSMManagedInstanceCore", and depending on what else you're doing, possibly "AmazonEC2FullAccess" and "AmazonS3FullAccess". Again, the "full access" policies are far too much but it'll work and from there, just downgrade to a lower policy to ensure that your Lambda is still working.