Yes you are absolutely right. Exposing them in frontend is surely a bad idea.

Here is the security measures you can take....

You can restrict the permissions attached to that particular IAM user and prevent from doing anything other than accessing S3

Then you can update the CORS policy and allow only your trusted domain from which your application will access S3.

So even if someone gets the accessKey and secretkey they will not be able to do anything fishy.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store