Limiting S3 folder access per user

I am trying to limit access to files uploaded to particular users (or even groups of users). I want to make a private S3 bucket that only delivers resources to those who can access it.

Is handling GET object permissions within a lambda a bad idea? I was thinking something like the opposite to creating a presigned URL for uploading.

The only other way I can see this being possible is dynamically creating IAM policies for users when they create the file, using their UUID in the folder path.

Cheers in advance!