You could control access based on the User-Agent header, which usually has "Roku" in it. Here's an access policy that should work: https://stackoverflow.com/questions/27437438/amazon-s3-bucket-policy-filter-by-user-agent

But it's pretty easy to generate a custom User-Agent header so that would be no guarantee that it's a Roku device accessing your files.

You've probably already done this, but it's also important that to have a bucket access policy that blocks indexing. Not doing this would allow anyone to list the bucket contents: https://stackoverflow.com/questions/9558831/how-to-prevent-directory-browsing-of-s3-bucket

This is great information.  I'll do some digging.  Thanks!

Are there any shared credentials that Roku has? The User-Header could be spoofed (as you mentioned).

I can certainly prevent indexing, I'll verify that.

Edit: Verified. ACL Access to "Everyone" in the bucket has list objects, write objects, and read and write bucket permissions unchecked.

Digging into the logs, it looks like iTunes from systems on the same network (20.185.243.xx) trying to download MP4 files that sit on S3 for Roku and for various Podcast outlets that pull from that bucket. However, the file is failing on the download, so iTunes keeps trying. But it seems to be massively fast, almost as if the iTunes was sitting on a fiber connection (not a data center, as it's from a macOS) the download times out after ~1/4 of a second, but having transferred several dozen MB or more in that time.

Anyway, any other suggestions are appreciated.

Thanks again!

Roku has a few types of DRM built-in, and Amazon has some support docs related to this also. Looks to be rather unpleasant to set up, and possibly expensive as there are licensing fees involved.

For your immediate problem, if you are using an access policy for your bucket then you can add a condition to prevent access from all 20.185.243.* addresses.

Another approach might be to stop streaming directly from AWS. AWS is somewhat expensive at about 9 cents per gigabyte streamed. There are a number of CDNs that can securely use your S3 bucket with the HLS content as an origin and stream into your Roku channel for around 1 cent per GB or less. See https://inxy.com/cdn-packages/ for some examples. Doesn't stop the problem of evil doers figuring out your stream URLs, but it does reduce the cost.