Hiding is not a security feature, it is cosmetic only.
To protect files you make either the view permissions of the page or module allow only specific roles and the download page will enforce that. So you would set the View Roles to "Authenticated Users" which is a role that all users get added to automatically when they register.
I'd be interested to see what you come up with for Amazon S3 support, however if the files will be served by an url that points to an amazon server I do not know how you will secure the files.
The way it works in the Shared Files feature is the we store all the files on disk with a .config extension which is an extension protected by .NET so files with this extension cannot be retrieved by an url directly to the file even if you know what the url is. This allows us to enforce role permissions on files that otherwise IIS would gladly serve up if the url is requested. What we do is check permissions and if the user has permissions then we serve the file with Response.TransmitFile and we change it back to it's original extension as we serve it.
So I don't know how you will enforce security if the files can be retrieved directly by an url to an Amazon S3 server.