diff --git a/aws/tf/modules/sra/privatelink.tf b/aws/tf/modules/sra/privatelink.tf
index 2277098..4bb555c 100644
--- a/aws/tf/modules/sra/privatelink.tf
+++ b/aws/tf/modules/sra/privatelink.tf
@@ -131,11 +131,12 @@ data "aws_iam_policy_document" "s3_vpc_endpoint_policy" {
   }
 
   statement {
-    sid    = "Grant access to Databricks Log Bucket"
+    sid    = "Grant access to Databricks System Tables Bucket"
     effect = "Allow"
     actions = [
-      "s3:PutObject",
       "s3:ListBucket",
+      "s3:GetObjectVersion",
+      "s3:GetObject",
       "s3:GetBucketLocation"
     ]
 
@@ -145,8 +146,8 @@ data "aws_iam_policy_document" "s3_vpc_endpoint_policy" {
     }
 
     resources = [
-      "arn:aws:s3:::databricks-prod-storage-${var.region_bucket_name}/*",
-      "arn:aws:s3:::databricks-prod-storage-${var.region_bucket_name}"
+      "arn:aws:s3:::system-tables-prod-${var.region}-uc-metastore-bucket/*",
+      "arn:aws:s3:::system-tables-prod-${var.region}-uc-metastore-bucket"
     ]
 
     condition {
@@ -157,7 +158,7 @@ data "aws_iam_policy_document" "s3_vpc_endpoint_policy" {
   }
 
   statement {
-    sid    = "Grant access to Databricks System Tables Bucket"
+    sid    = "Grant access to Databricks Sample Data Bucket"
     effect = "Allow"
     actions = [
       "s3:ListBucket",
@@ -172,8 +173,8 @@ data "aws_iam_policy_document" "s3_vpc_endpoint_policy" {
     }
 
     resources = [
-      "arn:aws:s3:::system-tables-prod-${var.region}-uc-metastore-bucket/*",
-      "arn:aws:s3:::system-tables-prod-${var.region}-uc-metastore-bucket"
+      "arn:aws:s3:::databricks-datasets-${var.region_bucket_name}/*",
+      "arn:aws:s3:::databricks-datasets-${var.region_bucket_name}"
     ]
 
     condition {
@@ -182,8 +183,33 @@ data "aws_iam_policy_document" "s3_vpc_endpoint_policy" {
       values   = ["414351767826"]
     }
   }
-}
 
+  statement {
+    sid    = "Grant access to Databricks Log Bucket"
+    effect = "Allow"
+    actions = [
+      "s3:PutObject",
+      "s3:ListBucket",
+      "s3:GetBucketLocation"
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    resources = [
+      "arn:aws:s3:::databricks-prod-storage-${var.region_bucket_name}/*",
+      "arn:aws:s3:::databricks-prod-storage-${var.region_bucket_name}"
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:PrincipalAccount"
+      values   = ["414351767826"]
+    }
+  }
+}
 
 // Restrictive STS endpoint policy:
 data "aws_iam_policy_document" "sts_vpc_endpoint_policy" {