diff --git a/module.yml b/module.yml
index a048a9c..2639d78 100644
--- a/module.yml
+++ b/module.yml
@@ -96,7 +96,7 @@ Conditions:
   HasPartitionPublic: !Equals [!Ref 'AWS::Partition', 'aws']
   HasPartitionChina: !Equals [!Ref 'AWS::Partition', 'aws-cn']
   HasPartitionUsGov: !Equals [!Ref 'AWS::Partition', 'aws-us-gov']
-  HasPublicAccessBlock: !Not [!Condition HasPublicReadAccess]
+  HasBlockPublicAccess: !Not [!Condition HasPublicReadAccess]
 Resources:
   PolicyLambdaEventTarget1:
     Type: 'AWS::IAM::Policy'
@@ -224,7 +224,8 @@ Resources:
         - !If [HasLambdaEventTargetLambdaModule2, {Event: !Ref LambdaEventType2, Function: {'Fn::ImportValue': !Sub '${LambdaEventTargetLambdaModule2}-Arn'}}, !Ref 'AWS::NoValue']
         - !If [HasLambdaEventTargetLambdaModule3, {Event: !Ref LambdaEventType3, Function: {'Fn::ImportValue': !Sub '${LambdaEventTargetLambdaModule3}-Arn'}}, !Ref 'AWS::NoValue']
         # QueueConfigurations: # Using SQS as a target does not work because the SQS queue policy can not be restricted to an AWS account (only to single S3 buckets which is not possible because we don't have that information (cyclic dependency)).
-      PublicAccessBlockConfiguration: !If [HasPublicAccessBlock, {BlockPublicAcls: true, BlockPublicPolicy: true, IgnorePublicAcls: true, RestrictPublicBuckets: true}, !Ref 'AWS::NoValue'] # AWS Foundational Security Best Practices v1.0.0 S3.8
+      OwnershipControls: !If [HasBlockPublicAccess, {Rules: [{ObjectOwnership: BucketOwnerEnforced}]}, {Rules: [{ObjectOwnership: BucketOwnerPreferred}]}]
+      PublicAccessBlockConfiguration: !If [HasBlockPublicAccess, {BlockPublicAcls: true, BlockPublicPolicy: true, IgnorePublicAcls: true, RestrictPublicBuckets: true}, {BlockPublicAcls: true, BlockPublicPolicy: false, IgnorePublicAcls: true, RestrictPublicBuckets: false}] # AWS Foundational Security Best Practices v1.0.0 S3.8
       VersioningConfiguration: !If [HasVersioning, {Status: Enabled}, !If [HadVersioning, {Status: Suspended}, !Ref 'AWS::NoValue']]
       BucketEncryption: !If [HasKmsKeyModule, {ServerSideEncryptionConfiguration: [{ServerSideEncryptionByDefault: {KMSMasterKeyID: {'Fn::ImportValue': !Sub '${KmsKeyModule}-Arn'}, SSEAlgorithm: 'aws:kms'}}]}, !Ref 'AWS::NoValue']
   BucketPolicyPrivate:
diff --git a/test/access.js b/test/access.js
index 2600ce0..34de189 100644
--- a/test/access.js
+++ b/test/access.js
@@ -88,3 +88,14 @@ test.serial('FlowLogWrite', async t => {
     t.pass();
   }
 });
+
+test.serial('Custom', async t => {
+  const stackName = cfntest.stackName();
+  try {
+    t.log(await cfntest.createStack(`${__dirname}/access.yml`, stackName, {Access: 'FlowLogWrite'}));
+    // what could we test here?
+  } finally {
+    t.log(await cfntest.deleteStack(stackName));
+    t.pass();
+  }
+});