diff --git a/aws_bucket/main.tf b/aws_bucket/main.tf
new file mode 100644
index 0000000..e9c2eb5
--- /dev/null
+++ b/aws_bucket/main.tf
@@ -0,0 +1,60 @@
+## ----- locals ----------------------------------------------------------------
+
+locals {
+  create_user = var.user_name == "" ? true : false
+  bucket_name = var.bucket_prefix == "" ? var.bucket_name : format("%s-%s", var.bucket_prefix, var.bucket_name)
+  user_name   = var.user_name == "" ? local.bucket_name : var.user_name
+}
+
+## ----- bucket user -----------------------------------------------------------
+
+module "user" {
+  source = "../aws_user"
+  count  = local.create_user ? 1 : 0
+
+  user_name = local.user_name
+  path      = "/bucket-users/"
+}
+
+data "aws_iam_user" "bucket" {
+  count = local.create_user ? 0 : 1
+
+  user_name = local.user_name
+}
+
+## ----- access control --------------------------------------------------------
+
+data "aws_iam_policy_document" "bucket" {
+  statement {
+    actions = [
+      "s3:ListBucket",
+    ]
+
+    resources = [
+      format("%s", aws_s3_bucket.bucket.arn),
+    ]
+  }
+  statement {
+    actions = [
+      "s3:GetObject",
+      "s3:PutObject",
+      "s3:DeleteObject",
+    ]
+
+    resources = [
+      format("%s/*", aws_s3_bucket.bucket.arn),
+    ]
+  }
+}
+
+resource "aws_iam_user_policy" "bucket" {
+  name   = local.create_user ? format("%s-access", local.user_name) : format("%s-%s-access", local.user_name, local.bucket_name)
+  user   = local.user_name
+  policy = data.aws_iam_policy_document.bucket.json
+}
+
+## ----- bucket ----------------------------------------------------------------
+
+resource "aws_s3_bucket" "bucket" {
+  bucket = local.bucket_name
+}
diff --git a/aws_bucket/outputs.tf b/aws_bucket/outputs.tf
new file mode 100644
index 0000000..4b29490
--- /dev/null
+++ b/aws_bucket/outputs.tf
@@ -0,0 +1,8 @@
+output "user_access_key" {
+  value = local.create_user ? module.user[0].access_key : null
+}
+
+output "user_secret_key" {
+  value     = local.create_user ? module.user[0].secret_key : null
+  sensitive = true
+}
diff --git a/aws_bucket/providers.tf b/aws_bucket/providers.tf
new file mode 100644
index 0000000..0b240bc
--- /dev/null
+++ b/aws_bucket/providers.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.9.5"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.65.0"
+    }
+  }
+}
diff --git a/aws_bucket/variables.tf b/aws_bucket/variables.tf
new file mode 100644
index 0000000..50de307
--- /dev/null
+++ b/aws_bucket/variables.tf
@@ -0,0 +1,18 @@
+## ----- general configuration -------------------------------------------------
+
+variable "bucket_name" {
+  description = "Name of the bucket."
+  type        = string
+}
+
+variable "bucket_prefix" {
+  description = "Prefix for the bucket name."
+  type        = string
+  default     = "tegridy"
+}
+
+variable "user_name" {
+  description = "If provided no additional user will be created."
+  type        = string
+  default     = ""
+}