Here's the policy you need to attach to your instance's IAM:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
}
]
}
You can replace the '*' above with more restrictive permissions (e.g. read only) where necessary. This approach means you don't need to set up any kind of access keys.