Yes you are absolutely right. Exposing them in frontend is surely a bad idea.

Here is the security measures you can take....

You can restrict the permissions attached to that particular IAM user and prevent from doing anything other than accessing S3

Then you can update the CORS policy and allow only your trusted domain from which your application will access S3.

So even if someone gets the accessKey and secretkey they will not be able to do anything fishy.