This doesn’t seem like it involves the Roots stack: If you’re controlling the permissions on S3 urls, that validation would have to happen on the S3 servers. I would guess that this would entail setting some kind of per-object permissions on S3 when files are uploaded, but that’s just a guess—and it seems outside the scope of these forums. Is there something about this issue that you feel makes it Roots-specific?
Oh, I thought you were just talking about pushing content to S3. With local mount points you probably could do some interesting permissions stuff. @ben wrote that article so he might have a little more insight. My guess would be you’d have to use some kind of authentication measure (i.e. cookies) that could be read server-side, and then use NGINX to conditionally block/unblock content based on that. It looks like NGINX has access to cookies through internal variables: https://nginx.org/en/docs/http/ngx_http_core_module.html#variables That’s just a guess, though.