Exactly. You have control over the read-access permissions on any content on S3. Anything set to 'private' cannot be accessed by the outside world without a URL with an encrypted key salted with your private key and an expiration date. I am already doing this with my startup and it is a wonderful feature, with no fears of 'botnet attacks'.
