Trigger AWS Lambda by S3 object GET

Rather then having them public for anyone to download I would make them private and only distribute pre-signed URLs to your colleagues and clients.

You can create a simple portal where your clients login and get a pre-signed link to the S3 object that expires e.g. in an hour. If they need to download it again they can get a fresh link any time. This will give you complete control and auditability of who can download your S3 objects without risking massive egress fees.

Check this out: https://aws.nz/best-practice/s3-presigned-url/

Hope that helps :)