diff --git a/lib/barcelona/network/vpc_builder.rb b/lib/barcelona/network/vpc_builder.rb
index 3be74cc6..d89cc8ff 100644
--- a/lib/barcelona/network/vpc_builder.rb
+++ b/lib/barcelona/network/vpc_builder.rb
@@ -323,10 +323,17 @@ def build_resources
                       "logs:CreateLogStream",
                       "logs:DescribeLogStreams",
                       "logs:PutLogEvents",
-                      "s3:Get*",
-                      "s3:List*"
                     ],
                     "Resource" => ["*"]
+                  },
+                  {
+                    "Effect" => "Allow",
+                    "Action" => [
+                      "s3:GetObject"
+                    ],
+                    "Resource" => [
+                      "arn:aws:s3:::#{stack.district.s3_bucket_name}/#{stack.district.name}/*"
+                    ]
                   }
                 ]
               }