How would you secure a publicly exposed S3 bucket while maintaining application functionality for HelloFresh?