A developer must apply the principle of least privilege in an IAM policy for an application that reads a specific file, doc.txt, located in the root of an S3 bucket named DOC-EXAMPLE-BUCKET. What is the appropriate IAM policy statement?