Neither. If you look at the S3 URL, they are URLs with expiry times after which they stop serving the content. The cryptographic signature makes it... let's call it "infeasible" to manipulate the URL to change the expiry time.