diff --git a/terraform/README.md b/terraform/README.md
index 5a760c32..7a4bbae5 100644
--- a/terraform/README.md
+++ b/terraform/README.md
@@ -30,8 +30,10 @@ The infrastructure for my personal website: [vendittelli.co.uk](https://venditte
 | [aws_s3_bucket_acl.images](https://registry.terraform.io/providers/hashicorp/aws/5.13.1/docs/resources/s3_bucket_acl) | resource |
 | [aws_s3_bucket_acl.site](https://registry.terraform.io/providers/hashicorp/aws/5.13.1/docs/resources/s3_bucket_acl) | resource |
 | [aws_s3_bucket_acl.www](https://registry.terraform.io/providers/hashicorp/aws/5.13.1/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_ownership_controls.images](https://registry.terraform.io/providers/hashicorp/aws/5.13.1/docs/resources/s3_bucket_ownership_controls) | resource |
 | [aws_s3_bucket_policy.images](https://registry.terraform.io/providers/hashicorp/aws/5.13.1/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_policy.site](https://registry.terraform.io/providers/hashicorp/aws/5.13.1/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.images](https://registry.terraform.io/providers/hashicorp/aws/5.13.1/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_s3_bucket_public_access_block.www](https://registry.terraform.io/providers/hashicorp/aws/5.13.1/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_s3_bucket_website_configuration.site](https://registry.terraform.io/providers/hashicorp/aws/5.13.1/docs/resources/s3_bucket_website_configuration) | resource |
 | [aws_s3_bucket_website_configuration.www](https://registry.terraform.io/providers/hashicorp/aws/5.13.1/docs/resources/s3_bucket_website_configuration) | resource |
diff --git a/terraform/aws.tf b/terraform/aws.tf
index 96e0b863..04b2b28d 100644
--- a/terraform/aws.tf
+++ b/terraform/aws.tf
@@ -82,13 +82,30 @@ resource "aws_s3_bucket" "images" {
   }
 }
 
-resource "aws_s3_bucket_acl" "images" {
+resource "aws_s3_bucket_ownership_controls" "images" {
   bucket = aws_s3_bucket.images.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
 
-  acl = "public-read"
+resource "aws_s3_bucket_public_access_block" "images" {
+  bucket = aws_s3_bucket.images.id
+
+  block_public_acls       = false
+  block_public_policy     = false
+  ignore_public_acls      = false
+  restrict_public_buckets = false
+}
+
+resource "aws_s3_bucket_acl" "images" {
+  depends_on = [aws_s3_bucket_ownership_controls.images]
+  bucket = aws_s3_bucket.images.id
+  acl    = "public-read"
 }
 
 resource "aws_s3_bucket_policy" "images" {
+  depends_on = [aws_s3_bucket_public_access_block.images]
   bucket = aws_s3_bucket.images.id
 
   policy = jsonencode({