How do you ensure that developers cannot accidentally expose an S3 bucket or an internal API to the public internet?