Our project have an application (placed in CNET and running under a process account) that sends files to a S3 bucket every 6 hours and works well, although we need to manually rotate these keys time to time (60~70 days) – we are using IAM Users to authenticate and one IAM Role with only write permissions in our S3.