diff --git a/terraform/main.tf b/terraform/main.tf
index bce0c4f..a79cf35 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -24,12 +24,25 @@ module "vpc" {
   enable_vpn_gateway = false
 }
 
+resource "aws_iam_role" "social" {
+  name               = "social_role"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
+  path               = "/"
+  description        = "instance role for social server"
+}
+
+resource "aws_iam_instance_profile" "social" {
+  name = "social_profile"
+  role = aws_iam_role.social.name
+  path = "/"
+}
+
 resource "aws_instance" "social" {
   ami                    = data.aws_ami.ubuntu.id
   instance_type          = local.instance_type
   subnet_id              = module.vpc.public_subnets.0
   key_name               = aws_key_pair.key.key_name
-  iam_instance_profile   = aws_iam_instance_profile.ssm.name
+  iam_instance_profile   = aws_iam_instance_profile.social.name
 
   vpc_security_group_ids = [ module.sg.security_group_id ]
 
diff --git a/terraform/s3-private.tf b/terraform/s3-private.tf
new file mode 100644
index 0000000..f0823c1
--- /dev/null
+++ b/terraform/s3-private.tf
@@ -0,0 +1,37 @@
+
+module "private_s3_bucket" {
+  source = "terraform-aws-modules/s3-bucket/aws"
+
+  bucket = "mastodon-private-${random_pet.name.id}"
+
+  versioning = {
+    enabled = false
+  }
+
+}
+
+data "aws_iam_policy_document" "private_s3" {
+  statement {
+    actions = [
+      "s3:*"
+    ]
+    resources = [
+      "${module.private_s3_bucket.s3_bucket_arn}",
+      "${module.private_s3_bucket.s3_bucket_arn}/*"
+    ]
+  }
+}
+
+resource "aws_iam_policy" "private_s3" {
+  name        = "${module.private_s3_bucket.s3_bucket_id}-access"
+  policy      = data.aws_iam_policy_document.private_s3.json
+  path        = "/"
+  description = "permissions for mastodon private s3 bucket"
+}
+
+resource "aws_iam_role_policy_attachment" "private_s3" {
+  role       = aws_iam_role.social.name
+  policy_arn = aws_iam_policy.private_s3.arn
+}
+
+
diff --git a/terraform/s3.tf b/terraform/s3.tf
index dc26a0d..ebdaed7 100644
--- a/terraform/s3.tf
+++ b/terraform/s3.tf
@@ -32,13 +32,12 @@ data "aws_iam_policy_document" "s3" {
       "s3:*"
     ]
     resources = [
-      module.s3_bucket.s3_bucket_arn,
+      "${module.s3_bucket.s3_bucket_arn}",
       "${module.s3_bucket.s3_bucket_arn}/*"
     ]
   }
 }
 
-
 resource "local_file" "s3_secret" {
   filename = ".s3_secret"
   content  = "${aws_iam_access_key.s3.secret}\n"
diff --git a/terraform/ssm.tf b/terraform/ssm.tf
index 2adf8ad..1ade231 100644
--- a/terraform/ssm.tf
+++ b/terraform/ssm.tf
@@ -1,13 +1,6 @@
 
 # SSM permissions
 
-resource "aws_iam_role" "ssm" {
-  name               = "social_ssm"
-  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
-  path               = "/"
-  description        = "SSM permissions for social server"
-}
-
 data "aws_iam_policy_document" "assume_role_policy" {
   statement {
     actions = ["sts:AssumeRole"]
@@ -31,14 +24,8 @@ data "aws_iam_policy" "ssm" {
 }
 
 resource "aws_iam_role_policy_attachment" "ssm" {
-  role       = aws_iam_role.ssm.name
+  role       = aws_iam_role.social.name
   policy_arn = aws_iam_policy.ssm.arn
 }
 
-resource "aws_iam_instance_profile" "ssm" {
-  name = "social_ssm"
-  role = aws_iam_role.ssm.name
-  path = "/"
-}
-