diff --git a/README.md b/README.md
index 5812db1..a67df4b 100644
--- a/README.md
+++ b/README.md
@@ -365,6 +365,7 @@ Available targets:
 | <a name="input_webhook_filter_match_equals"></a> [webhook\_filter\_match\_equals](#input\_webhook\_filter\_match\_equals) | The value to match on (e.g. refs/heads/{Branch}) | `string` | `"refs/heads/{Branch}"` | no |
 | <a name="input_webhook_target_action"></a> [webhook\_target\_action](#input\_webhook\_target\_action) | The name of the action in a pipeline you want to connect to the webhook. The action must be from the source (first) stage of the pipeline | `string` | `"Source"` | no |
 | <a name="input_website_bucket_name"></a> [website\_bucket\_name](#input\_website\_bucket\_name) | Name of the S3 bucket where the website will be deployed | `string` | `""` | no |
+| <a name="input_website_bucket_acl"></a> [website\_bucket\_acl](#input\_website\_bucket\_acl) | Canned ACL of the S3 bucket objects that get served as a website, can be private if using CloudFront with OAI | `string` | `"public-read"` | no |
 
 ## Outputs
 
diff --git a/docs/terraform.md b/docs/terraform.md
index af32ea1..36c2c60 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -94,6 +94,7 @@
 | <a name="input_webhook_filter_match_equals"></a> [webhook\_filter\_match\_equals](#input\_webhook\_filter\_match\_equals) | The value to match on (e.g. refs/heads/{Branch}) | `string` | `"refs/heads/{Branch}"` | no |
 | <a name="input_webhook_target_action"></a> [webhook\_target\_action](#input\_webhook\_target\_action) | The name of the action in a pipeline you want to connect to the webhook. The action must be from the source (first) stage of the pipeline | `string` | `"Source"` | no |
 | <a name="input_website_bucket_name"></a> [website\_bucket\_name](#input\_website\_bucket\_name) | Name of the S3 bucket where the website will be deployed | `string` | `""` | no |
+| <a name="input_website_bucket_acl"></a> [website\_bucket\_acl](#input\_website\_bucket\_acl) | Canned ACL of the S3 bucket objects that get served as a website, can be private if using CloudFront with OAI | `string` | `"public-read"` | no |
 
 ## Outputs
 
diff --git a/main.tf b/main.tf
index 50fd665..254a11b 100644
--- a/main.tf
+++ b/main.tf
@@ -125,6 +125,11 @@ resource "aws_iam_policy" "s3" {
   policy = join("", data.aws_iam_policy_document.s3.*.json)
 }
 
+data "aws_s3_bucket" "website" {
+  count  = local.enabled ? 1 : 0
+  bucket = var.website_bucket_name
+}
+
 data "aws_iam_policy_document" "s3" {
   count = local.enabled ? 1 : 0
 
@@ -136,12 +141,15 @@ data "aws_iam_policy_document" "s3" {
       "s3:GetObjectVersion",
       "s3:GetBucketVersioning",
       "s3:PutObject",
+      "s3:PutObjectAcl",
     ]
 
     resources = [
-      join("", aws_s3_bucket.default.*.arn),
+      "arn:aws:s3:::elasticbeanstalk*",
       "${join("", aws_s3_bucket.default.*.arn)}/*",
-      "arn:aws:s3:::elasticbeanstalk*"
+      join("", aws_s3_bucket.default.*.arn),
+      "${join("", data.aws_s3_bucket.website.*.arn)}/*",
+      join("", data.aws_s3_bucket.website.*.arn)
     ]
 
     effect = "Allow"
@@ -306,7 +314,7 @@ resource "aws_codepipeline" "default" {
         configuration = {
           BucketName = var.website_bucket_name
           Extract    = "true"
-          CannedACL  = "public-read"
+          CannedACL  = var.website_bucket_acl
         }
       }
     }
diff --git a/variables.tf b/variables.tf
index 2819a55..f9c5654 100644
--- a/variables.tf
+++ b/variables.tf
@@ -183,3 +183,9 @@ variable "website_bucket_name" {
   default     = ""
   description = "Name of the S3 bucket where the website will be deployed"
 }
+
+variable "website_bucket_acl" {
+  type        = string
+  default     = "public-read"
+  description = "Canned ACL of the S3 bucket objects that get served as a website, can be private if using CloudFront with OAI"
+}