diff --git a/infra/s3_notebooks.tf b/infra/s3_notebooks.tf
index 81ccd72..9f59706 100644
--- a/infra/s3_notebooks.tf
+++ b/infra/s3_notebooks.tf
@@ -57,4 +57,24 @@ data "aws_iam_policy_document" "notebooks" {
       ]
     }
   }
+  statement {
+    effect = "Allow"
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+    actions = [
+      "s3:GetObject",
+    ]
+    resources = [
+      "arn:aws:s3:::${aws_s3_bucket.notebooks.id}/shared/*",
+    ]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceVpce"
+      values = [
+        aws_vpc_endpoint.s3.id
+      ]
+    }
+  }
 }