diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf
index eacc83d46f..a108fee6de 100644
--- a/terraform/aws/s3.tf
+++ b/terraform/aws/s3.tf
@@ -4,7 +4,6 @@ resource "aws_s3_bucket" "data" {
   # bucket does not have access logs
   # bucket does not have versioning
   bucket        = "${local.resource_prefix.value}-data"
-  acl           = "public-read"
   force_destroy = true
   tags = {
     Name                 = "${local.resource_prefix.value}-data"
@@ -21,6 +20,13 @@ resource "aws_s3_bucket" "data" {
   versioning {
     enabled = "${var.versioning_enabled}"
   }
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
 }
 
 resource "aws_s3_bucket_object" "data_object" {