diff --git a/README.md b/README.md
index 4537e80..1370eb5 100644
--- a/README.md
+++ b/README.md
@@ -10,6 +10,7 @@ supports S3 redirects. This module helps keep setup consistent for multiple Hugo
  - `aliases` - A list of hostname aliases for CloudFront to listen on
  - `bucket_name` - Name of bucket to use, must be globally unique
  - `cert_domain` - Domain name on existing Amazon Certificate Manager certificate to use with CloudFront
+ - `deployment_user_arn` - ARN to a user to be given permission to put objects into the bucket
 
 ## Optional Inputs
 
@@ -31,17 +32,18 @@ supports S3 redirects. This module helps keep setup consistent for multiple Hugo
 
 ```hcl
 module "hugosite" {
-  source      = "github.com/fillup/terraform-hugo-s3-cloudfront"
-  aliases     = ["www.domain.com", "domain.com"]
-  bucket_name = "www.domain.com"
-  cert_domain = "*.domain.com"
+  source              = "github.com/fillup/terraform-hugo-s3-cloudfront"
+  aliases             = ["www.domain.com", "domain.com"]
+  bucket_name         = "www.domain.com"
+  cert_domain         = "*.domain.com"
+  deployment_user_arn = "arn:aws:iam::111122223333:person"
 }
 ```
 
 ## License - MIT
 MIT License
 
-Copyright (c) 2018 Phillip Shipley
+Copyright (c) 2020 Phillip Shipley
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/bucket-policy.json b/bucket-policy.json
index 646fe86..807221a 100644
--- a/bucket-policy.json
+++ b/bucket-policy.json
@@ -2,11 +2,23 @@
   "Version": "2012-10-17",
   "Statement": [
     {
-      "Sid": "AddPerm",
+      "Sid": "PublicRead",
       "Effect": "Allow",
       "Principal": "*",
       "Action": "s3:GetObject",
       "Resource": "arn:aws:s3:::${bucket_name}/public/*"
+    },
+    {
+      "Sid": "PutWebsite",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": ["${deployment_user_arn}"]
+      },
+      "Action": [
+        "s3:PutObject",
+        "s3:PutObjectAcl"
+      ],
+      "Resource": "arn:aws:s3:::${bucket_name}/public/*"
     }
   ]
 }
\ No newline at end of file
diff --git a/main.tf b/main.tf
index fbc777b..790a44c 100644
--- a/main.tf
+++ b/main.tf
@@ -5,7 +5,8 @@ data "template_file" "bucket_policy" {
   template = "${file("${path.module}/bucket-policy.json")}"
 
   vars {
-    bucket_name = "${var.bucket_name}"
+    bucket_name         = "${var.bucket_name}"
+    deployment_user_arn = "${var.deployment_user_arn}"
   }
 }
 
diff --git a/vars.tf b/vars.tf
index 7d88298..4d73454 100644
--- a/vars.tf
+++ b/vars.tf
@@ -106,3 +106,8 @@ variable "viewer_protocol_policy" {
   type        = "string"
   default     = "redirect-to-https"
 }
+
+variable "deployment_user_arn" {
+  description = "ARN for user who is able to put objects into S3 bucket"
+  type        = "string"
+}
\ No newline at end of file