Attaching an instance profile that contains an IAM role with the necessary S3 permissions to your EC2 instances is the recommended solution for this scenario. This allows the application to assume the IAM role and obtain temporary credentials, which can be used to access the S3 bucket. The use of an instance profile ensures that the EC2 instance can securely make API calls to AWS services on behalf of the user that assumed the role. Unlike static credentials, these permissions are automatically rotated and managed by AWS. Creating individual IAM users is not scalable for multiple instances, and hard-coding credentials is a security risk and violates the AWS recommended practice of not embedding secrets in code. Using a resource-based policy on the S3 bucket is not possible, as it cannot grant the necessary EC2 instance permissions to assume a role.