diff --git a/main.tf b/main.tf
index 0c0e19c..67847a5 100644
--- a/main.tf
+++ b/main.tf
@@ -63,15 +63,23 @@ data "aws_iam_policy_document" "bucket_policy_read" {
   count = local.enable_read_accounts ? 1 : 0
 
   statement {
-    sid = "AllowCrossAccountRead"
-    resources = [
-      local.bucket_arn,
-      "${local.bucket_arn}/*",
-    ]
-    actions = [
-      "s3:Get*",
-      "s3:List*",
-    ]
+    sid = "AllowCrossAccountList"
+    resources = [local.bucket_arn]
+    actions = ["s3:List*"]
+    principals {
+      type        = "AWS"
+      identifiers = var.read_accounts
+    }
+    condition {
+      test = "StringLike"
+      variable = "s3:prefix"
+      values = ["${var.read_prefix}*"]
+    }
+  }
+  statement {
+    sid = "AllowCrossAccountGet"
+    resources = ["${local.bucket_arn}/${var.read_prefix}*",]
+    actions = ["s3:Get*"]
     principals {
       type        = "AWS"
       identifiers = var.read_accounts
diff --git a/outputs.tf b/outputs.tf
old mode 100755
new mode 100644
diff --git a/variables.tf b/variables.tf
index e68ed5e..4e457de 100644
--- a/variables.tf
+++ b/variables.tf
@@ -30,6 +30,12 @@ variable "read_accounts" {
   default     = []
 }
 
+variable "read_prefix" {
+  description = "Prefix of object keys to restrict cross-account reads to"
+  type        = string
+  default     = ""
+}
+
 variable "write_accounts" {
   description = "List of other AWS accounts which should get write access to the bucket"
   type        = list(string)