How do I use Cognito purely to authenticate users for S3 use

I have read this post and the AWS reply on How do I use a Cognito token with API? and this one how to use AWS cognito with custom authentication to create temporary s3 upload security token

I am not yet clear whether there is a simpler solution to securing S3 access.

I have a mobile client and a node.js backend. The client authenticates with the backend and receives a jwt accesstoken for further calls to my backend. In addition to communication with my own backend, users should be able to upload and download files to and from S3. I am looking for the simplest solution to make sure only users who have a valid accesstoken for my backend can upload to S3.

Can I do the following (this is based on this blog post http://ift.tt/1OtLwn0):

1. Client authenticates with my custom node.js backend and receives custom accesstoken from my backend
2. My node.js backend gets CognitoID AWS temp user credentials. However, the AWS documention says we also need a session token (presumably by calling CognitoSync), so I assume my backened needs to get the session token as well.
3. My node.js backend passes those temp credentials plus session token to client
4. Client uses them for calls to S3 with AWS SDK passing in the credentials + session token.

Am I missing something? Is there an easier way to do that? I assume there is no way to simply have the client pass my own custom node.js user accesstoken to AWS/S3/Cognito and have S3/Cognito authenticate the token by calling my own node.js API that could authenticate this token.