Using a proxy will use the proxy's EC2 bandwidth, not the S3 bandwidth.
If you don't want to use a proxy, you can use signed URLs to control access to the files on S3. You can provide a signed link to the content on S3. Then only people to whom you sent the link will be able to see the file on S3 (although nothing is preventing them from sharing that link).