In AWS docs page has the following instructions to upload files to an AWS bucket from browser: https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPOST.html
This solution send to browser a policy and a signature using the secret key that is validated on POST. Also, exposes the AWS Key ID (but noy AWS Secret Key). Isn't it a bad pratice? Although the secret ID is not exposed, expose AWS Key ID sounds bad for me because an attacker can use bruteforce to guess the key (having the policy and the signature).