What you are looking for are signed URLs. The way they work in a nutshell is, when a customer requests a download, you generate a signed URL on the server/java action (using a secret API key for AWS). The user can use this URL to download the file directly from AWS without interacting with your Mendix app and without knowing the secret key.
As Andrej suggest a signed URL is possible.
When you have a lot of content, and you do not want to sign every URL you can have a look at signed session cookies