A company operates a long-running data analysis process on AWS, utilizing Amazon S3 buckets for data storage and a fleet of Amazon EC2 instances managed by an Auto Scaling group for processing. These EC2 instances are located in a private subnet of a VPC without internet access and connect to the S3 buckets through an S3 gateway endpoint with a default access policy. Each EC2 instance is equipped with an instance profile role that permits specific S3 actions for designated buckets. Recently, the company identified that several EC2 instances have been compromised, resulting in unauthorized data exfiltration to an S3 bucket outside their AWS Organization. To address this security breach and ensure the continued operation of the data processing job, a security engineer is tasked with implementing a solution. Which of the following solutions should the engineer select to effectively prevent data exfiltration while maintaining the functionality of the EC2 instances?