diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6b791c3..c5af27e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,7 @@
 ## Version 0.5.3 [WIP]
 * Improve message content when cfn_create raises an exception and fails.
 * Cleanup SSL certificates when cfn_create raises an exception and fails.
+* Make default S3 permissions more restrictive. Everyone can get object.
 
 ## Version 0.5.2
 
diff --git a/bootstrap_cfn/config.py b/bootstrap_cfn/config.py
index a1afcf9..a01d1cf 100644
--- a/bootstrap_cfn/config.py
+++ b/bootstrap_cfn/config.py
@@ -277,14 +277,10 @@ def s3(self):
         else:
             arn = 'arn:aws:s3:::%s/*' % self.data['s3']['static-bucket-name']
             policy = {
-                'Action': [
-                    's3:Get*',
-                    's3:Put*',
-                    's3:List*'],
+                'Action': ['s3:GetObject'],
                 'Resource': arn,
                 'Effect': 'Allow',
-                'Principal': {
-                    'AWS': '*'}}
+                'Principal': '*'}
 
         bucket_policy = BucketPolicy(
             "StaticBucketPolicy",
diff --git a/tests/tests.py b/tests/tests.py
index d9d92a8..1abc297 100644
--- a/tests/tests.py
+++ b/tests/tests.py
@@ -121,14 +121,10 @@ def test_s3(self):
             'Statement': [
                 {
                     'Action': [
-                        's3:Get*',
-                        's3:Put*',
-                        's3:List*'],
+                        's3:GetObject'],
                     'Resource': 'arn:aws:s3:::moj-test-dev-static/*',
                     'Effect': 'Allow',
-                    'Principal': {
-                        'AWS': '*'
-                    }
+                    'Principal': '*'
                 }
             ]
         }