diff --git a/s3-access-logs/main.tf b/s3-access-logs/main.tf
index 13d3e2a..5aa142d 100644
--- a/s3-access-logs/main.tf
+++ b/s3-access-logs/main.tf
@@ -64,7 +64,8 @@ locals {
 #---
 resource "aws_s3_bucket" "logs" {
   bucket = local.bucket_name
-  acl    = "log-delivery-write"
+  #  acl    = "log-delivery-write"
+  acl = "private"
 
   # uses aws/kms key so log delivery works properly
   server_side_encryption_configuration {
@@ -138,7 +139,7 @@ resource "null_resource" "policy_delay" {
 # set ownership controls
 # see documentation:
 #  https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls
-#  
+#  https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html
 resource "aws_s3_bucket_ownership_controls" "this" {
   bucket = aws_s3_bucket.logs.id