diff --git a/infra/frontend.ts b/infra/frontend.ts
index 6a5053c..257e233 100644
--- a/infra/frontend.ts
+++ b/infra/frontend.ts
@@ -12,7 +12,24 @@ const prefix = `${common.prefix}-frontend`;
 
 // ---- bucket ----
 export const bucket = new aws.s3.Bucket(`${prefix}-bucket`, {tags});
-const bucketOai = new aws.cloudfront.OriginAccessIdentity(`${prefix}-oai`);
+
+// ---- OAI ----
+const oai = new aws.cloudfront.OriginAccessIdentity(`${prefix}-oai`);
+new aws.s3.BucketPolicy(`${prefix}-bucket-policy`, {
+  bucket: bucket.bucket,
+  policy: pulumi.all([oai.iamArn, bucket.arn]).apply(([a, b]) => JSON.stringify({
+    Version: "2012-10-17",
+    Statement: [{
+      Effect: "Allow",
+      Principal: {
+        AWS: a,
+      },
+      Action: ["s3:GetObject"],
+      Resource: [`${b}/*`],
+    }],
+  })),
+});
+
 
 // ---- cloudfront ----
 export const cloudfront = new aws.cloudfront.Distribution(`${prefix}-cloudfront`, {
@@ -21,7 +38,7 @@ export const cloudfront = new aws.cloudfront.Distribution(`${prefix}-cloudfront`
     domainName: bucket.bucketRegionalDomainName,
     originId: bucket.arn,
     s3OriginConfig: {
-      originAccessIdentity: bucketOai.cloudfrontAccessIdentityPath,
+      originAccessIdentity: oai.cloudfrontAccessIdentityPath,
     },
   }],
   enabled: true,