High-level S3 Bucket Policy builder following AWS security best practices. **Default Security Settings:** - No default statements (explicit policy definition required) - Applies to specific bucket only **Rationale:** These defaults follow AWS Well-Architected Framework security pillar: - Principle of least privilege requires explicit permissions - No default deny-all to allow incremental policy building - Bucket-specific policies prevent accidental broad access **Best Practices:** - Deny HTTP requests (enforce HTTPS) - Restrict access by IP address when possible - Use condition keys to limit access - Apply MFA delete for critical buckets **Escape Hatch:** Access the underlying CDK BucketPolicy via the `Policy` property for advanced scenarios not covered by this builder.