I have several PDF files stored in Amazon S3. Each file is associated with a user and only the file owner can access the file. I have enforced this in my download page. But the actual PDF link points to Amazon S3 url, which is accessible to anybody.
How do I enforce the access-control rules for this url?(without making my server a proxy for all the PDF download links)
I would suggest using Amazon S3's authenticated REST URLs with an expiration date. They allow temporary, expiring access to a non-public S3 object.
That said, if they're going to share the URL, what's stopping them from sharing the file itself?
Each file on your S3 account can have special access rights (ACL). You should set all your PDFs ACL to private. Then nobody will be able to access them.
S3 has an API which allows you to "temporarily" grant read-access. For example Amazon's S3 PHP Library has a getAuthenticatedURL (string $bucket, string $uri, integer $lifetime, [boolean $hostBucket = false], [boolean $https = false]) function.
This will enable you to allow access to a PDF for a defined amount of time (like 5 minutes) - which is more than enough if you immediatly redirect the user to S3.