An application on EC2 instances uses an S3 bucket for object storage and retrieval. After S3 Block Public Access is enabled, users face download issues. To securely allow only authenticated users access to S3 objects, which two measures should be implemented?