No you don't. You leak AWSAccessKeyId which is not a secret. You use a signature to authorize the file upload.

I should've been more verbose. You cannot calculate the signature client side without leaking the key. So you need a server. That step is identical to what this "serverless" implementation is doing.

Correct. But the signature doesn't necessarily need to be per-file upload, so I have it embedded in JS. For my use case, saving the extra network hop is worthwhile.

So I can extract it from the JS, and just upload terabytes?

Yeah, that's true. But you can limit the secret key to an IAM user with only perms to uploading to that particular bucket. I know it can still cause damage, but nothing like disclosing your root key. If you do a cost-analysis taking into account development on the back-end, doesn't seem so bad, till of course, it does.