This is the approach we use for the lucee update/download server
The update server can’t depend on itself (catch-22), so we download directly from s3 and drop them into the deploy folder
Given you are locking down your server’s internet access, you care about security, you probably should consider using the latest 5.4 docker images (latest java, tomcat and ubuntu) and start planning to migrate to Lucee 6