A pharmaceutical research lab is storing sensitive clinical trial results in an Amazon S3 bucket. A small group of researchers must be able to upload new data, while the rest of the team should have read-only access. No one, including administrators, should be allowed to edit or delete existing data. Additionally, each file must be retained for at least 1 year after it is uploaded, to comply with regulatory standards. What is the best way to meet these requirements?