An organization wants to ensure that only specific AWS services can access an S3 bucket. Which of the following should they configure?