diff --git a/infrastructure/terraform/modules/s3_iam_policy/main.tf b/infrastructure/terraform/modules/s3_iam_policy/main.tf
index 397bd963..0ef5c4be 100644
--- a/infrastructure/terraform/modules/s3_iam_policy/main.tf
+++ b/infrastructure/terraform/modules/s3_iam_policy/main.tf
@@ -2,9 +2,10 @@
 locals {
   # Generate full resource ARNs by combining bucket ARNs with resource paths
   resources = flatten([
-    for bucket_arn in var.bucket_arns : [
-      for path in var.resource_paths : "${bucket_arn}${path}"
-    ]
+    for bucket_arn in var.bucket_arns : concat(
+      [bucket_arn],  # bare ARN for bucket-level actions like ListBucket
+      [for path in var.resource_paths : "${bucket_arn}${path}"]
+    )
   ])
 }