Setup AWS infrastructure to let customers drop files

// Perhaps this is too broad of a question but I've never done any AWS before and am a bit in the weeds - Will delete question if community deems bad.

Using AWS, I want to setup an endpoint where customers can upload files via a POST or PUT with an token for authorization. Alternatively, they could also use SFTP (write only) with a token or user id / password.

So I need:

1. A way for customers to get a secure authorization token somehow. Is there a Vault type product in AWS where only some IPs can request short lived tokens to then use as authN/Z when trying to upload files.

2. I assume that the uploaded files can be in stored in S3, and my process with different permissions can access the uploaded files and do what I need to with them. Parse data into a DB (I can probably figure this out with S3 as well)

3. Optionally, a hosted web page, where once authN/Z as in #1, there's a simple drop zone where they can use the web to upload. (essentially, the site's logic would create the request for them in #1)

I'd be interested in how someone who knows would architect this.

Some ideas:

• AWS Transfer provides a managed sFtp front end to S3, user management here. Beware it's about US$216 per month to enable the service and $0.04 per GB, plus I think you have to pay for AWS Directory Service. It would be cheaper to run a standard sFtp server on Lightsail.
• IAM users with S3 rights is an option, may be more work but it's a LOT cheaper. IAM users cost nothing, and you can set up an S3 bucket so each user has their own folder. It's more work for the user though.
• Write a web-app
• Use Dropbox