diff --git a/infrastructure/terraform/lambda/pashub_to_ara/main.tf b/infrastructure/terraform/lambda/pashub_to_ara/main.tf
index 3d1050c1..1a457617 100644
--- a/infrastructure/terraform/lambda/pashub_to_ara/main.tf
+++ b/infrastructure/terraform/lambda/pashub_to_ara/main.tf
@@ -51,3 +51,8 @@ module "lambda" {
     PASHUB_PASSWORD                     = var.pashub_password
   }
 }
+
+resource "aws_iam_role_policy_attachment" "pashub_to_ara_s3_write" {
+  role       = module.lambda.role_name
+  policy_arn = data.terraform_remote_state.shared.outputs.pashub_to_ara_s3_write_arn
+}
diff --git a/infrastructure/terraform/shared/main.tf b/infrastructure/terraform/shared/main.tf
index fbd09565..98b08e7d 100644
--- a/infrastructure/terraform/shared/main.tf
+++ b/infrastructure/terraform/shared/main.tf
@@ -566,6 +566,20 @@ module "pashub_to_ara_registry" {
   stage  = var.stage
 }
 
+module "pashub_to_ara_s3_write" {
+  source = "../modules/s3_iam_policy"
+
+  policy_name        = "PashubToAraWriteS3"
+  policy_description = "Allow PasHub to ARA Lambda to write to retrofit energy assessments bucket"
+  bucket_arns        = ["arn:aws:s3:::retrofit-energy-assessments-${var.stage}"]
+  actions            = ["s3:PutObject", "s3:AbortMultipartUpload"]
+  resource_paths     = ["/*"]
+}
+
+output "pashub_to_ara_s3_write_arn" {
+  value = module.pashub_to_ara_s3_write.policy_arn
+}
+
 ################################################
 # ECMK to Ara – Lambda
 ################################################