diff --git a/_variables.tf b/_variables.tf
index 4b9b9c6..d5188d0 100644
--- a/_variables.tf
+++ b/_variables.tf
@@ -67,6 +67,12 @@ variable "create_iam_user" {
   default = false
 }
 
+variable "create_iam_user_write_acl" {
+  type    = bool
+  default = false
+  description = "If iam user can use WRITE_ACP on bucket"
+}
+
 variable "create_iam_eks_role" {
   type    = map(any)
   default = {}
diff --git a/acl.tf b/acl.tf
new file mode 100644
index 0000000..e996dca
--- /dev/null
+++ b/acl.tf
@@ -0,0 +1,35 @@
+resource "aws_s3_bucket_ownership_controls" "bucket_acl" {
+  count = var.create && var.create_iam_user && var.create_iam_user_write_acl ? 1 : 0
+  bucket = aws_s3_bucket.bucket[0].id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_acl" "grant_owner_to_iam" {
+  count = var.create && var.create_iam_user && var.create_iam_user_write_acl ? 1 : 0
+  depends_on = [aws_s3_bucket_ownership_controls.bucket_acl[0]]
+
+  bucket = aws_s3_bucket.bucket[0].id
+  access_control_policy {
+    grant {
+      grantee {
+        id   = aws_iam_user.bucket_user[0].id
+        type = "CanonicalUser"
+      }
+      permission = "WRITE_ACP"
+    }
+
+    grant {
+      grantee {
+        type = "Group"
+        uri  = "http://acs.amazonaws.com/groups/s3/LogDelivery"
+      }
+      permission = "READ_ACP"
+    }
+
+    owner {
+      id = data.aws_canonical_user_id.current.id
+    }
+  }
+}