An application is running on Amazon EC2 instances. Sensitive information required for the application is stored in an Amazon S3 bucket. The bucket needs to be protected from internet access while only allowing services within the VPC access to the bucket.
Which combination of actions should solutions archived take to accomplish this? (Choose two.)
A. Create a VPC endpoint for Amazon S3.
B. Enable server access logging on the bucket.
C. Apply a bucket policy to restrict access to the S3 endpoint.
D. Add an S3 ACL to the bucket that has sensitive information.
E. Restrict users using the IAM policy to use the specific bucket.
Explanation/Reference: