Explain how you would restrict access to an internal S3 bucket containing sensitive user data so that only a specific application can read it.