This is official help that describes how to do this.
Locate the section titled "Request for query string request authentication"
GET /photos/puppy.jpg?AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE& Signature=rucSbH0yNEcP9oM2XNlouVI3BH4%3D& Expires=1175139620 HTTP/1.1
Here, edit the help page.
You can authenticate certain types of requests by passing the required information as query string parameters instead of using the authorization HTTP header. This is useful for allowing third-party browsers to directly access your Amazon S3 data without proxying the request. The idea is to create a โpre-signedโ request and encode it as the URL that the end user's browser can receive. In addition, you can limit the pre-signed request by specifying the expiration time.