Presigned URLs are useful for fine-grained access control to resources on s3.
For example, if storing larger text blocks than DynamoDB might allow with its 400KB size limits s3 is a useful option.
Ignoring various ACL methods and using presigned URLs, it's possible to create lambda functions that can generate the required upload and download URLs.
Using the default IAM roles and lambda proxy configuration of serverless, lambdas are assigned an IAM role for the application (so that a logical group of functions can share resources - e.g. for a CRUD REST API). Each function then assumes the IAM role via its own function name.