diff --git a/onpremises/07-data-storage.md b/onpremises/07-data-storage.md
index ff8bf09..c433f54 100644
--- a/onpremises/07-data-storage.md
+++ b/onpremises/07-data-storage.md
@@ -20,7 +20,31 @@ Alternatively, Amazon Web Services S3 (or an S3 compatible service) can be used
 The basic steps to configure S3 are:
 
 - Create a bucket under your AWS account (folders named `workspaces` and `reviews` will be created in this bucket).
-- Create a new programmatic access user in AWS, with the following permissions: `AmazonS3FullAccess`.
+- Create a new programmatic access user in AWS, with the following IAM policy - make sure to replace the bucket name: 
+```
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:Get*",
+                "s3:List*"
+            ],
+            "Resource": "arn:aws:s3:::BUCKET_NAME"
+        },
+        {
+            "Effect": "Allow",
+            "NotAction": [
+                "s3:CreateBucket",
+                "s3:DeleteBucket"
+            ],
+            "Resource": "arn:aws:s3:::BUCKET_NAME/*"
+        }
+    ]
+}
+```
+
 - Modify your `structurizr.properties` file to configure AWS S3 integration as follows:
 
 | Property name            | Property value                                                                                                                                 |