diff --git a/infrastructure/aws/iam/s3/README.md b/infrastructure/aws/iam/s3/README.md
deleted file mode 100644
index 672911c7..00000000
--- a/infrastructure/aws/iam/s3/README.md
+++ /dev/null
@@ -1,103 +0,0 @@
-# Module: s3
-
-## Description
-
-Attaches an S3 bucket policy that enforces secure transport (HTTPS-only) and optionally merges additional IAM policy statements
-
-## Architecture
-
-The module creates an aws_s3_bucket_policy resource attached to an existing S3 bucket. It uses aws_iam_policy_document data sources to construct the policy: one generates a mandatory Deny statement for aws:SecureTransport=false (rejecting non-HTTPS requests), and another merges this with any additional policy JSON provided via input. The merged policy document flows into the aws_s3_bucket_policy resource, which applies it to the bucket identified by bucket_id.
-
-## Features
-
-- Enforces HTTPS-only access by denying all S3 actions when aws:SecureTransport is false
-- Merges caller-supplied IAM policy statements with the mandatory secure transport policy
-- Prevents unrestricted public access by disallowing Principal '*' with Effect 'Allow'
-- Outputs the final merged policy JSON for verification and audit purposes
-
-## Basic Usage
-
-```hcl
-module "s3" {
- source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/s3?ref=v5.3.0"
-
- bucket_arn = "your-bucket-arn"
- bucket_id = "your-bucket-id"
-}
-```
-
-## Using Outputs
-
-```hcl
-# Reference outputs in other resources
-resource "example_resource" "this" {
- example_attribute = module.s3.bucket_id
-}
-```
-
-
-
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| [aws](#provider\_aws) | n/a |
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [additional\_policy\_json](#input\_additional\_policy\_json) | Optional JSON policy document to merge with the mandatory secure transport policy.
Must NOT contain statements with Principal \"*\" and Effect \"Allow\", as that grants
unrestricted public access. Use specific principals (IAM roles, accounts) instead. | `string` | `null` | no |
-| [bucket\_arn](#input\_bucket\_arn) | ARN of the S3 bucket. Used to build the resource ARNs in the secure transport statement. | `string` | n/a | yes |
-| [bucket\_id](#input\_bucket\_id) | ID (name) of the S3 bucket to which the policy will be applied. | `string` | n/a | yes |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| [bucket\_id](#output\_bucket\_id) | ID of the S3 bucket to which the policy was applied. |
-| [policy\_json](#output\_policy\_json) | The final bucket policy JSON applied to the bucket. |
-
-
-
diff --git a/infrastructure/aws/iam/s3/main.tf b/infrastructure/aws/iam/s3/main.tf
deleted file mode 100644
index 157b6eb3..00000000
--- a/infrastructure/aws/iam/s3/main.tf
+++ /dev/null
@@ -1,46 +0,0 @@
-################################################################################
-# S3 Bucket Policy — Secure Transport enforcement
-#
-# Rules enforced by this module:
-# 1. No Principal "*" with Effect "Allow" (unrestricted public access is forbidden).
-# 2. A Deny statement for aws:SecureTransport = false is always present,
-# ensuring the bucket rejects any non-HTTPS request.
-################################################################################
-
-# Mandatory: deny all S3 actions over plain HTTP
-data "aws_iam_policy_document" "secure_transport" {
- statement {
- sid = "DenyNonSecureTransport"
- effect = "Deny"
- actions = ["s3:*"]
-
- resources = [
- var.bucket_arn,
- "${var.bucket_arn}/*",
- ]
-
- principals {
- type = "*"
- identifiers = ["*"]
- }
-
- condition {
- test = "Bool"
- variable = "aws:SecureTransport"
- values = ["false"]
- }
- }
-}
-
-# Merge the secure transport policy with any caller-supplied statements
-data "aws_iam_policy_document" "merged" {
- source_policy_documents = compact([
- data.aws_iam_policy_document.secure_transport.json,
- var.additional_policy_json,
- ])
-}
-
-resource "aws_s3_bucket_policy" "this" {
- bucket = var.bucket_id
- policy = data.aws_iam_policy_document.merged.json
-}
diff --git a/infrastructure/aws/iam/s3/outputs.tf b/infrastructure/aws/iam/s3/outputs.tf
deleted file mode 100644
index d646a02b..00000000
--- a/infrastructure/aws/iam/s3/outputs.tf
+++ /dev/null
@@ -1,9 +0,0 @@
-output "bucket_id" {
- description = "ID of the S3 bucket to which the policy was applied."
- value = aws_s3_bucket_policy.this.bucket
-}
-
-output "policy_json" {
- description = "The final bucket policy JSON applied to the bucket."
- value = data.aws_iam_policy_document.merged.json
-}
diff --git a/infrastructure/aws/iam/s3/variables.tf b/infrastructure/aws/iam/s3/variables.tf
deleted file mode 100644
index 08a8385d..00000000
--- a/infrastructure/aws/iam/s3/variables.tf
+++ /dev/null
@@ -1,19 +0,0 @@
-variable "bucket_id" {
- description = "ID (name) of the S3 bucket to which the policy will be applied."
- type = string
-}
-
-variable "bucket_arn" {
- description = "ARN of the S3 bucket. Used to build the resource ARNs in the secure transport statement."
- type = string
-}
-
-variable "additional_policy_json" {
- description = <<-EOT
- Optional JSON policy document to merge with the mandatory secure transport policy.
- Must NOT contain statements with Principal \"*\" and Effect \"Allow\", as that grants
- unrestricted public access. Use specific principals (IAM roles, accounts) instead.
- EOT
- type = string
- default = null
-}