diff --git a/README.md b/README.md
index 2a07294..4a8ca39 100644
--- a/README.md
+++ b/README.md
@@ -24,7 +24,7 @@ No requirements.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_backend_config"></a> [backend\_config](#input\_backend\_config) | Object of S3 backend config | <pre>object({<br>    bucket        = string<br>    force_destroy = optional(bool, true)<br>    versioning    = optional(string, "Enabled")<br>    public_access_block = optional(object({<br>      block_public_acls       = optional(bool, true)<br>      block_public_policy     = optional(bool, true)<br>      ignore_public_acls      = optional(bool, true)<br>      restrict_public_buckets = optional(bool, true)<br>    }), {})<br>    server_side_encryption_configuration = optional(object({<br>      bucket_key_enabled = optional(bool, true)<br>      sse_algorithm      = optional(string, "aws:kms")<br>      kms_master_key_id  = optional(string)<br>    }), {})<br>    dynamodb_table = object({<br>      name                        = string<br>      deletion_protection_enabled = optional(bool, true)<br>      billing_mode                = optional(string, "PAY_PER_REQUEST")<br>    })<br>  })</pre> | n/a | yes |
+| <a name="input_backend_config"></a> [backend\_config](#input\_backend\_config) | Object of S3 backend config | <pre>object({<br>    bucket        = string<br>    force_destroy = optional(bool, true)<br>    versioning    = optional(string, "Enabled")<br>    policy = optional(object({<br>      json = string<br>    }))<br>    public_access_block = optional(object({<br>      block_public_acls       = optional(bool, true)<br>      block_public_policy     = optional(bool, true)<br>      ignore_public_acls      = optional(bool, true)<br>      restrict_public_buckets = optional(bool, true)<br>    }), {})<br>    server_side_encryption_configuration = optional(object({<br>      bucket_key_enabled = optional(bool, true)<br>      sse_algorithm      = optional(string, "aws:kms")<br>      kms_master_key_id  = optional(string)<br>    }), {})<br>    dynamodb_table = object({<br>      name                        = string<br>      deletion_protection_enabled = optional(bool, true)<br>      billing_mode                = optional(string, "PAY_PER_REQUEST")<br>    })<br>  })</pre> | n/a | yes |
 
 ## Outputs
 
diff --git a/main.tf b/main.tf
index 003267a..52d7bf5 100644
--- a/main.tf
+++ b/main.tf
@@ -6,7 +6,9 @@ module "state_bucket" {
 
   public_access_block = var.backend_config.public_access_block
 
-  policy = {
+  server_side_encryption_configuration = var.backend_config.server_side_encryption_configuration
+
+  policy = var.backend_config.policy != null ? var.backend_config.policy : {
     json = jsonencode({
       "Version" : "2012-10-17",
       "Statement" : [
@@ -51,10 +53,6 @@ module "state_bucket" {
       ]
     })
   }
-
-
-  server_side_encryption_configuration = var.backend_config.server_side_encryption_configuration
-
 }
 
 resource "aws_dynamodb_table" "this" {
diff --git a/tests/.gitkeep b/tests/.gitkeep
deleted file mode 100644
index e69de29..0000000
diff --git a/tests/create_all/main.tf b/tests/test_defaults/main.tf
similarity index 100%
rename from tests/create_all/main.tf
rename to tests/test_defaults/main.tf
diff --git a/tests/test_external_policy/main.tf b/tests/test_external_policy/main.tf
new file mode 100644
index 0000000..28b450c
--- /dev/null
+++ b/tests/test_external_policy/main.tf
@@ -0,0 +1,78 @@
+module "state_bucket" {
+  source = "../../"
+
+  backend_config = {
+    bucket = local.bucket_name
+    policy = local.policy
+
+    dynamodb_table = {
+      name = local.ddb_name
+
+      deletion_protection_enabled = false
+    }
+  }
+}
+
+resource "random_string" "this" {
+  length  = 8
+  upper   = false
+  special = false
+  numeric = false
+}
+
+locals {
+  id = random_string.this.result
+
+  bucket_name = "test-bucket-for-backend-${local.id}"
+  ddb_name    = "test-ddb-for-backend-${local.id}"
+
+  policy = {
+    json = jsonencode({
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Sid" : "MustBeEncryptedInTransit",
+          "Effect" : "Deny",
+          "Principal" : "*",
+          "Action" : "s3:*",
+          "Resource" : [
+            "arn:${data.aws_partition.current.partition}:s3:::${local.bucket_name}",
+            "arn:${data.aws_partition.current.partition}:s3:::${local.bucket_name}/*"
+          ],
+          "Condition" : {
+            "Bool" : {
+              "aws:SecureTransport" : "false"
+            }
+          }
+        },
+        {
+          "Sid" : "RootAccess",
+          "Effect" : "Allow",
+          "Principal" : {
+            "AWS" : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"
+          },
+          "Action" : "s3:*",
+          "Resource" : [
+            "arn:${data.aws_partition.current.partition}:s3:::${local.bucket_name}",
+            "arn:${data.aws_partition.current.partition}:s3:::${local.bucket_name}/*"
+          ]
+        },
+        {
+          "Sid" : "DenyS3DeleteObject",
+          "Action" : [
+            "s3:DeleteObject"
+          ],
+          "Effect" : "Deny",
+          "Resource" : [
+            "arn:${data.aws_partition.current.partition}:s3:::${local.bucket_name}/*"
+          ],
+          "Principal" : "*"
+        }
+      ]
+    })
+  }
+}
+
+data "aws_caller_identity" "current" {}
+
+data "aws_partition" "current" {}
diff --git a/variables.tf b/variables.tf
index 4f8492a..946bb24 100644
--- a/variables.tf
+++ b/variables.tf
@@ -4,6 +4,9 @@ variable "backend_config" {
     bucket        = string
     force_destroy = optional(bool, true)
     versioning    = optional(string, "Enabled")
+    policy = optional(object({
+      json = string
+    }))
     public_access_block = optional(object({
       block_public_acls       = optional(bool, true)
       block_public_policy     = optional(bool, true)