NHSDigital · sidnhs · Apr 30, 2026 · Apr 30, 2026 · Apr 30, 2026
@@ -54,6 +54,7 @@ No requirements.
 | <a name="input_report_scheduler_schedule"></a> [report\_scheduler\_schedule](#input\_report\_scheduler\_schedule) | Schedule to trigger sender reports | `string` | `"cron(30 4 * * ? *)"` | no |
 | <a name="input_reports_data_retention_non_current_days"></a> [reports\_data\_retention\_non\_current\_days](#input\_reports\_data\_retention\_non\_current\_days) | The number of non current days for data retention policy for reports generated by Athena in the reporting bucket | `number` | `14` | no |
 | <a name="input_reports_data_retention_policy_days"></a> [reports\_data\_retention\_policy\_days](#input\_reports\_data\_retention\_policy\_days) | The number of days for data retention policy for reports generated by Athena in the reporting bucket | `number` | `90` | no |
+| <a name="input_restrict_pii_data_access"></a> [restrict\_pii\_data\_access](#input\_restrict\_pii\_data\_access) | Whether to restrict access to PII data in the bucket using a bucket policy | `bool` | `true` | no |
 | <a name="input_shared_infra_account_id"></a> [shared\_infra\_account\_id](#input\_shared\_infra\_account\_id) | The AWS Shared Infra Account ID (numeric) | `string` | n/a | yes |
 | <a name="input_sns_success_logging_sample_percent"></a> [sns\_success\_logging\_sample\_percent](#input\_sns\_success\_logging\_sample\_percent) | Enable SNS Delivery Successful Sample Percentage | `number` | `0` | no |
 | <a name="input_sqs_max_receive_count"></a> [sqs\_max\_receive\_count](#input\_sqs\_max\_receive\_count) | Maximum number of times a message can be received before being sent to the DLQ | `string` | `"3"` | no |
@@ -85,10 +86,10 @@ No requirements.
 | <a name="module_report_scheduler"></a> [report\_scheduler](#module\_report\_scheduler) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-lambda.zip | n/a |
 | <a name="module_report_sender"></a> [report\_sender](#module\_report\_sender) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-lambda.zip | n/a |
 | <a name="module_s3bucket_file_quarantine"></a> [s3bucket\_file\_quarantine](#module\_s3bucket\_file\_quarantine) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |
-| <a name="module_s3bucket_file_safe"></a> [s3bucket\_file\_safe](#module\_s3bucket\_file\_safe) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |
+| <a name="module_s3bucket_file_safe"></a> [s3bucket\_file\_safe](#module\_s3bucket\_file\_safe) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/terraform/modules/s3bucket | feature/CCM-16776_s3_pii_access |
 | <a name="module_s3bucket_letters"></a> [s3bucket\_letters](#module\_s3bucket\_letters) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |
 | <a name="module_s3bucket_non_pii_data"></a> [s3bucket\_non\_pii\_data](#module\_s3bucket\_non\_pii\_data) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |
-| <a name="module_s3bucket_pii_data"></a> [s3bucket\_pii\_data](#module\_s3bucket\_pii\_data) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |
+| <a name="module_s3bucket_pii_data"></a> [s3bucket\_pii\_data](#module\_s3bucket\_pii\_data) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/terraform/modules/s3bucket | feature/CCM-16776_s3_pii_access |
 | <a name="module_s3bucket_reporting"></a> [s3bucket\_reporting](#module\_s3bucket\_reporting) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |
 | <a name="module_s3bucket_static_assets"></a> [s3bucket\_static\_assets](#module\_s3bucket\_static\_assets) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |
 | <a name="module_sqs_core_notifier"></a> [sqs\_core\_notifier](#module\_sqs\_core\_notifier) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-sqs.zip | n/a |

@@ -0,0 +1,5 @@
+data "aws_iam_roles" "sso_bc_restricted_dev" {
+  count       = var.restrict_pii_data_access ? 1 : 0
+  name_regex  = "AWSReservedSSO_nhs-notify-bc-developer_.*"
+  path_prefix = "/aws-reserved/sso.amazonaws.com/"
+}
@@ -16,4 +16,6 @@ locals {
   ssm_senders_prefix                   = "${local.ssm_prefix}/senders"
   ttl_shard_count                      = 3
   unscanned_files_bucket               = local.acct.additional_s3_buckets["digital-letters_unscanned-files"]["id"]
+
+  bc_restricted_dev_role = try(tolist(data.aws_iam_roles.sso_bc_restricted_dev[0].arns)[0], null)
 }
@@ -1,5 +1,5 @@
 module "s3bucket_file_safe" {
-  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip"
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/terraform/modules/s3bucket?ref=feature/CCM-16776_s3_pii_access" #Change this later to actual tag
 
   name = "file-safe"
 
@@ -10,6 +10,7 @@ module "s3bucket_file_safe" {
   component      = local.component
 
   kms_key_arn = module.kms.key_arn
+  enable_abac = var.restrict_pii_data_access ? true : false
 
   policy_documents = [data.aws_iam_policy_document.s3bucket_file_safe.json]
 
@@ -41,7 +42,8 @@ module "s3bucket_file_safe" {
   ]
 
   default_tags = {
-    NHSE-Enable-S3-Backup-Acct = "True"
+    NHSE-Enable-S3-Backup-Acct = "True",
+    NHSE-PII-Data              = "True"
   }
 }
 
@@ -85,4 +87,28 @@ data "aws_iam_policy_document" "s3bucket_file_safe" {
       ]
     }
   }
+
+  # dynamic "statement" {
+  #   for_each = var.restrict_pii_data_access ? [1] : []
+  #   content {
+  #     effect = "Deny"
+  #     actions = [
+  #       "s3:GetObject",
+  #       "s3:GetObjectVersion",
+  #       "s3:PutObject",
+  #       "s3:DeleteObject"
+  #     ]
+  #     resources = [
+  #       module.s3bucket_file_safe.arn,
+  #       "${module.s3bucket_file_safe.arn}/*",
+  #     ]
+
+  #     principals {
+  #       type = "AWS"
+  #       identifiers = [
+  #         local.bc_restricted_dev_role
+  #       ]
+  #     }
+  #   }
+  # }
 }
@@ -1,5 +1,5 @@
 module "s3bucket_pii_data" {
-  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip"
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/terraform/modules/s3bucket?ref=feature/CCM-16776_s3_pii_access" #Change this later to actual tag
 
   name = "pii-data"
 
@@ -9,14 +9,15 @@ module "s3bucket_pii_data" {
   environment    = var.environment
   component      = local.component
 
-  kms_key_arn = module.kms.key_arn
-
+  kms_key_arn      = module.kms.key_arn
+  enable_abac      = var.restrict_pii_data_access ? true : false
   policy_documents = [data.aws_iam_policy_document.s3bucket_pii_data.json]
 
   force_destroy = var.force_destroy
 
   default_tags = {
-    NHSE-Enable-S3-Backup-Acct = "True"
+    NHSE-Enable-S3-Backup-Acct = "True",
+    NHSE-PII-Data              = "True",
   }
 }
 
@@ -61,4 +62,28 @@ data "aws_iam_policy_document" "s3bucket_pii_data" {
       ]
     }
   }
+
+  # dynamic "statement" {
+  #   for_each = var.restrict_pii_data_access ? [1] : []
+  #   content {
+  #     effect = "Deny"
+  #     actions = [
+  #       "s3:GetObject",
+  #       "s3:GetObjectVersion",
+  #       "s3:PutObject",
+  #       "s3:DeleteObject"
+  #     ]
+  #     resources = [
+  #       module.s3bucket_pii_data.arn,
+  #       "${module.s3bucket_pii_data.arn}/*",
+  #     ]
+
+  #     principals {
+  #       type = "AWS"
+  #       identifiers = [
+  #         local.bc_restricted_dev_role
+  #       ]
+  #     }
+  #   }
+  # }
 }
@@ -319,3 +319,9 @@ variable "event_anomaly_band_width" {
     error_message = "Band width must be between 2 and 10"
   }
 }
+
+variable "restrict_pii_data_access" {
+  type        = bool
+  description = "Whether to restrict access to PII data in the bucket using a bucket policy"
+  default     = true
+}