How would you secure a publicly facing S3 bucket that needs to be accessed by an internal automated process?