diff --git a/infrastructure/terraform/main.tf b/infrastructure/terraform/main.tf
index 95fa5e06..81f23f63 100644
--- a/infrastructure/terraform/main.tf
+++ b/infrastructure/terraform/main.tf
@@ -6,10 +6,10 @@ terraform {
     }
   }
   backend "s3" {
-    bucket = "assessment-model-terraform-state"
-    region = "eu-west-2"
-    profile="DevAdmin"
-    key    = "terraform.tfstate"
+    bucket  = "assessment-model-terraform-state"
+    region  = "eu-west-2"
+    profile = "DevAdmin"
+    key     = "terraform.tfstate"
   }
 
   required_version = ">= 1.2.0"
@@ -22,8 +22,8 @@ provider "aws" {
 
 # Additional provider for resources that need to be in us-east-1, specifically the SSL certificate
 provider "aws" {
-  alias   = "aws_use1"
-  region  = "us-east-1"
+  alias  = "aws_use1"
+  region = "us-east-1"
 }
 
 # Assuming the secret is already created and the name is "<stage>/assessment_model/db_credentials"
@@ -56,23 +56,23 @@ resource "aws_security_group" "allow_db" {
   }
 
   egress {
-    from_port = 0
-    to_port = 0
-    protocol = "-1"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
   }
 }
 
 resource "aws_db_instance" "default" {
-  allocated_storage    = var.allocated_storage
-  engine               = "postgres"
-  engine_version       = "14.7"
-  instance_class       = var.instance_class
-  db_name              = var.database_name
-  username             = jsondecode(data.aws_secretsmanager_secret_version.db_credentials.secret_string)["db_assessment_model_username"]
-  password             = jsondecode(data.aws_secretsmanager_secret_version.db_credentials.secret_string)["db_assessment_model_password"]
-  parameter_group_name = "default.postgres14"
-  skip_final_snapshot  = true
+  allocated_storage      = var.allocated_storage
+  engine                 = "postgres"
+  engine_version         = "14.7"
+  instance_class         = var.instance_class
+  db_name                = var.database_name
+  username               = jsondecode(data.aws_secretsmanager_secret_version.db_credentials.secret_string)["db_assessment_model_username"]
+  password               = jsondecode(data.aws_secretsmanager_secret_version.db_credentials.secret_string)["db_assessment_model_password"]
+  parameter_group_name   = "default.postgres14"
+  skip_final_snapshot    = true
   vpc_security_group_ids = [aws_security_group.allow_db.id]
   lifecycle {
     prevent_destroy = true
@@ -85,23 +85,29 @@ resource "aws_db_instance" "default" {
 
 # Set up the bucket that recieve the csv uploads of properties to be retrofit
 module "s3_presignable_bucket" {
-  source = "./modules/s3_presignable_bucket"
-  environment = var.stage
+  source          = "./modules/s3_presignable_bucket"
+  environment     = var.stage
+  allowed_origins = var.allowed_origins
+}
+
+module "s3" {
+  source          = "./modules/s3"
+  bucketname      = "retrofit-datalake-${var.stage}"
   allowed_origins = var.allowed_origins
 }
 
 # Set up the route53 record for the API
 module "route53" {
-  source = "./modules/route53"
-  domain_name = var.domain_name
+  source         = "./modules/route53"
+  domain_name    = var.domain_name
   api_url_prefix = var.api_url_prefix
-  providers = {
+  providers      = {
     aws.aws_use1 = aws.aws_use1
   }
 }
 
 # Create an ECR repository for storage of the lambda's docker images
 module "ecr" {
-  source = "./modules/ecr"
+  source      = "./modules/ecr"
   environment = var.stage
 }
diff --git a/infrastructure/terraform/modules/s3/main.tf b/infrastructure/terraform/modules/s3/main.tf
new file mode 100644
index 00000000..e2dfb6d9
--- /dev/null
+++ b/infrastructure/terraform/modules/s3/main.tf
@@ -0,0 +1,32 @@
+resource "aws_s3_bucket" "bucket" {
+  bucket = "${var.bucketname}"
+  acl    = "private"
+
+  #  cors_rule {
+  #    allowed_headers = ["Content-Type", "Authorization"]
+  #    allowed_methods = ["PUT"]
+  #    allowed_origins = var.allowed_origins
+  #    expose_headers  = ["ETag"]
+  #    max_age_seconds = 3000
+  #  }
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "block_public" {
+  bucket                  = aws_s3_bucket.bucket.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
diff --git a/infrastructure/terraform/modules/s3/outputs.tf b/infrastructure/terraform/modules/s3/outputs.tf
new file mode 100644
index 00000000..a5e7ddb4
--- /dev/null
+++ b/infrastructure/terraform/modules/s3/outputs.tf
@@ -0,0 +1,4 @@
+output "bucket_name" {
+  description = "The name of the S3 bucket"
+  value       = aws_s3_bucket.bucket.bucket
+}
diff --git a/infrastructure/terraform/modules/s3/variables.tf b/infrastructure/terraform/modules/s3/variables.tf
new file mode 100644
index 00000000..ff0fc221
--- /dev/null
+++ b/infrastructure/terraform/modules/s3/variables.tf
@@ -0,0 +1,13 @@
+variable "bucketname" {
+  description = "The name of the bucket to create"
+  type        = string
+}
+
+# Between production and development, we need to specify the
+# allowed origins for CORS differently. This variable is set to allow
+# us to generate pre-signed urls and in development, we want to be able to
+# do so from localhost.
+variable "allowed_origins" {
+  description = "Allowed origins for CORS"
+  type        = list(string)
+}
\ No newline at end of file