Amazon S3 presigned url - Invalidate manually or one time upload

A pre-signed URL expires at a set date/time. It is not possible to create a one-time use pre-signed URL.

It is also not possible to invalidate a pre-signed URL. However, the pre-signed URL uses permissions from the Access Key that is referenced by the pre-signed URL. If permissions are removed from the User linked to the Access Key, then the pre-signed URL will not work.

Turning this into an answer...

Once a file is uploaded, have Lambda move it (using the Copy Object API), i.e. from uploads/123.png to received/123.png or something similar.

If a malicious user attempts to re-use the signed URL, it'll go to uploads/123.png. Worst-case, Lambda checks it again and rejects the new file. Since your server's looking in received/ instead of uploads/ for files to process, we've rendered things safe.