diff --git a/module_s3_bucket_cloudfront_logging.tf b/module_s3_bucket_cloudfront_logging.tf
index 7ede0f6..a1a5c1e 100644
--- a/module_s3_bucket_cloudfront_logging.tf
+++ b/module_s3_bucket_cloudfront_logging.tf
@@ -5,9 +5,9 @@ module "bucket_cloudwatch_logs_backup" {
   bucket                   = local.logging_bucket_name
   force_destroy            = false
   tags                     = var.common_tags
-  acl                      = var.whitelabel_domain ? null : "private"
+  acl                      = var.whitelabel_domain || var.acl_disabled ? null : "private"
   object_ownership         = "ObjectWriter"
-  control_object_ownership = var.whitelabel_domain ? true : false
+  control_object_ownership = var.whitelabel_domain || var.owner_enabled ? true : false
   attach_access_log_delivery_policy = var.whitelabel_domain ? true : false
 
   # Bucket public access
diff --git a/variables.tf b/variables.tf
index d8cb247..26887df 100644
--- a/variables.tf
+++ b/variables.tf
@@ -133,6 +133,18 @@ variable "whitelabel_domain" {
   default     = false
 }
 
+variable "acl_disabled" {
+  description = "Boolean flag to disable ACL"
+  type        = bool
+  default     = true
+}
+
+variable "owner_enabled" {
+  description = "Boolean flag to enable owner controlled"
+  type        = bool
+  default     = true
+}
+
 variable "common_tags" {
   type        = map(string)
   description = "Implements the common tags."
@@ -141,4 +153,4 @@ variable "common_tags" {
 locals {
   logging_bucket_name = "${var.distribution_name}-cf-logs-${data.aws_region.current.name}-${lower(data.aws_iam_account_alias.current.account_alias)}"
   shared_origin_path  = var.shared_origin_access_identity != "" ? var.shared_origin_access_identity : aws_cloudfront_origin_access_identity.current[0].cloudfront_access_identity_path
-}
\ No newline at end of file
+}