diff --git a/modules/products/static-site/storage.tf b/modules/products/static-site/storage.tf
index 4475d80..af4f9be 100644
--- a/modules/products/static-site/storage.tf
+++ b/modules/products/static-site/storage.tf
@@ -53,6 +53,12 @@ data "aws_iam_policy_document" "static_site_iam_storage_policy_document" {
     }
   }
   statement {
+    sid    = "AllowCloudFrontServicePrincipalReadOnly"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["cloudfront.amazonaws.com"]
+    }
     actions = [
       "s3:ListBucket"
     ]