diff --git a/html-demo/aws/aws_s3.tf b/html-demo/aws/aws_s3.tf
index fcbaeecc..adf29052 100644
--- a/html-demo/aws/aws_s3.tf
+++ b/html-demo/aws/aws_s3.tf
@@ -1,7 +1,5 @@
 resource "aws_s3_bucket" "website_bucket" {
   bucket = "codepipes-html-demo-${random_string.random.result}"
-  acl    = "public-read"
-
   force_destroy = true
 
   website {
@@ -10,7 +8,34 @@ resource "aws_s3_bucket" "website_bucket" {
   }
 }
 
+resource "aws_s3_bucket_public_access_block" "website_bucket" {
+  bucket = aws_s3_bucket.website_bucket.id
+
+  block_public_acls       = false
+  block_public_policy     = false
+  ignore_public_acls      = false
+  restrict_public_buckets = false
+}
+
+resource "aws_s3_bucket_ownership_controls" "website_bucket" {
+  bucket = aws_s3_bucket.website_bucket.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_acl" "website_bucket" {
+  depends_on = [
+  aws_s3_bucket_public_access_block.website_bucket,
+  aws_s3_bucket_ownership_controls.website_bucket,
+  ]
+
+  bucket = aws_s3_bucket.website_bucket.id
+  acl    = "public-read"
+}
+
 resource "aws_s3_bucket_policy" "website_bucket_policy" {
+  depends_on = [aws_s3_bucket_public_access_block.website_bucket, aws_s3_bucket_ownership_controls.website_bucket]
   bucket = aws_s3_bucket.website_bucket.id
 
   policy = <<POLICY
@@ -22,7 +47,7 @@ resource "aws_s3_bucket_policy" "website_bucket_policy" {
       "Sid": "Allow-Public-Access-To-Bucket",
       "Effect": "Allow",
       "Principal": "*",
-      "Action": "s3:GetObject",
+      "Action": ["s3:GetObject", "s3:GetObjectAcl"],
       "Resource": [
           "arn:aws:s3:::${aws_s3_bucket.website_bucket.bucket}/*"
       ]