diff --git a/terraform/environments/performance-hub/database.tf b/terraform/environments/performance-hub/database.tf
index 9e73fb60520..3cf0bc1f074 100644
--- a/terraform/environments/performance-hub/database.tf
+++ b/terraform/environments/performance-hub/database.tf
@@ -280,198 +280,7 @@ resource "aws_iam_role_policy_attachment" "s3_database_backups_attachment" {
   role       = aws_iam_role.s3_database_backups_role.name
   policy_arn = aws_iam_policy.s3_database_backups_policy.arn
 }
-#------------------------------------------------------------------------------
-# S3 Bucket for Uploads
-#------------------------------------------------------------------------------
-#tfsec:ignore:AWS002 tfsec:ignore:AWS098
-resource "aws_s3_bucket" "upload_files" {
-  #checkov:skip=CKV_AWS_18
-  #checkov:skip=CKV_AWS_144
-  #checkov:skip=CKV2_AWS_6
-  bucket = "${local.application_name}-uploads-${local.environment}"
-
-  lifecycle {
-    prevent_destroy = true
-  }
-
-  tags = merge(
-    local.tags,
-    {
-      Name = "${local.application_name}-uploads"
-    }
-  )
-}
-
-resource "aws_s3_bucket_acl" "upload_files" {
-  bucket = aws_s3_bucket.upload_files.id
-  acl    = "private"
-}
-
-resource "aws_s3_bucket_lifecycle_configuration" "upload_files" {
-  bucket = aws_s3_bucket.upload_files.id
-  rule {
-    id     = "tf-s3-lifecycle"
-    status = "Enabled"
-    noncurrent_version_transition {
-      noncurrent_days = 30
-      storage_class   = "STANDARD_IA"
-    }
-
-    transition {
-      days          = 60
-      storage_class = "STANDARD_IA"
-    }
-  }
-}
-
-resource "aws_s3_bucket_server_side_encryption_configuration" "upload_files" {
-  bucket = aws_s3_bucket.upload_files.id
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm     = "aws:kms"
-      kms_master_key_id = aws_kms_key.s3.arn
-    }
-  }
-}
-
-resource "aws_s3_bucket_versioning" "upload_files" {
-  bucket = aws_s3_bucket.upload_files.id
-  versioning_configuration {
-    status = "Enabled"
-  }
-}
-
-resource "aws_s3_bucket_policy" "upload_files_policy" {
-  bucket = aws_s3_bucket.upload_files.id
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Id      = "upload_bucket_policy"
-    Statement = [
-      {
-        Effect    = "Allow"
-        Principal = { AWS = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/cicd-member-user"] }
-        Action    = "s3:*"
-        Resource = [
-          aws_s3_bucket.upload_files.arn,
-          "${aws_s3_bucket.upload_files.arn}/*",
-        ]
-      },
-    ]
-  })
-}
-
-resource "aws_iam_role" "s3_uploads_role" {
-  name               = "${local.application_name}-s3-uploads-role"
-  assume_role_policy = data.aws_iam_policy_document.s3-access-policy.json
-  tags = merge(
-    local.tags,
-    {
-      Name = "${local.application_name}-s3-uploads-role"
-    }
-  )
-}
-
-data "aws_iam_policy_document" "s3-access-policy" {
-  version = "2012-10-17"
-  statement {
-    sid    = ""
-    effect = "Allow"
-    actions = [
-      "sts:AssumeRole",
-    ]
-    principals {
-      type = "Service"
-      identifiers = [
-        "rds.amazonaws.com",
-        "ec2.amazonaws.com",
-      ]
-    }
-  }
-}
 
-resource "aws_iam_policy" "s3-uploads-policy" {
-  name   = "${local.application_name}-s3-uploads-policy"
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-          "s3:*"
-      ],
-      "Resource": [
-          "${aws_s3_bucket.upload_files.arn}"
-      ]
-    },
-    {
-      "Effect": "Allow",
-      "Action": [
-          "s3:*"
-      ],
-      "Resource": [
-        "${aws_s3_bucket.upload_files.arn}/*"
-      ]
-    },
-    {
-      "Effect": "Allow",
-      "Action": [
-        "s3:GetEncryptionConfiguration"
-      ],
-      "Resource": "*"
-    },
-    {
-      "Effect": "Allow",
-      "Action": [
-      "kms:Decrypt"
-      ],
-      "Resource": "*"
-    }
-  ]
-}
-EOF
-}
-
-resource "aws_iam_role_policy_attachment" "s3_uploads_attachment" {
-  role       = aws_iam_role.s3_uploads_role.name
-  policy_arn = aws_iam_policy.s3-uploads-policy.arn
-}
-#------------------------------------------------------------------------------
-# KMS setup for S3
-#------------------------------------------------------------------------------
-
-resource "aws_kms_key" "s3" {
-  description         = "Encryption key for s3"
-  enable_key_rotation = true
-  policy              = data.aws_iam_policy_document.s3-kms.json
-
-  tags = merge(
-    local.tags,
-    {
-      Name = "${local.application_name}-s3-kms"
-    }
-  )
-}
-
-resource "aws_kms_alias" "kms-alias" {
-  name          = "alias/s3"
-  target_key_id = aws_kms_key.s3.arn
-}
-
-data "aws_iam_policy_document" "s3-kms" {
-  #checkov:skip=CKV_AWS_111
-  #checkov:skip=CKV_AWS_109
-  statement {
-    effect    = "Allow"
-    actions   = ["kms:*"]
-    resources = ["*"]
-
-    principals {
-      type        = "AWS"
-      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root", "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/cicd-member-user"]
-    }
-  }
-}
 #------------------------------------------------------------------------------
 # KMS setup for RDS
 #------------------------------------------------------------------------------
diff --git a/terraform/environments/performance-hub/s3.tf b/terraform/environments/performance-hub/s3.tf
new file mode 100644
index 00000000000..60414fc61ea
--- /dev/null
+++ b/terraform/environments/performance-hub/s3.tf
@@ -0,0 +1,248 @@
+#------------------------------------------------------------------------------
+# S3 Bucket for file uploads and other user-generated content
+# (note this code predates the Modernisation Platform S3 module used below
+# for "ap_landing_bucket")
+#------------------------------------------------------------------------------
+#tfsec:ignore:AWS002 tfsec:ignore:AWS098
+resource "aws_s3_bucket" "upload_files" {
+  #checkov:skip=CKV_AWS_18
+  #checkov:skip=CKV_AWS_144
+  #checkov:skip=CKV2_AWS_6
+  bucket = "${local.application_name}-uploads-${local.environment}"
+
+  lifecycle {
+    prevent_destroy = true
+  }
+
+  tags = merge (
+    local.tags,
+    {
+      Name = "${local.application_name}-uploads"
+    }
+  )
+}
+
+resource "aws_s3_bucket_acl" "upload_files" {
+  bucket = aws_s3_bucket.upload_files.id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "upload_files" {
+  bucket = aws_s3_bucket.upload_files.id
+  rule {
+    id     = "tf-s3-lifecycle"
+    status = "Enabled"
+    noncurrent_version_transition {
+      noncurrent_days = 30
+      storage_class   = "STANDARD_IA"
+    }
+
+    transition {
+      days          = 60
+      storage_class = "STANDARD_IA"
+    }
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "upload_files" {
+  bucket = aws_s3_bucket.upload_files.id
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm     = "aws:kms"
+      kms_master_key_id = aws_kms_key.s3.arn
+    }
+  }
+}
+
+resource "aws_s3_bucket_versioning" "upload_files" {
+  bucket = aws_s3_bucket.upload_files.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_policy" "upload_files_policy" {
+  bucket = aws_s3_bucket.upload_files.id
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Id      = "upload_bucket_policy"
+    Statement = [
+      {
+        Effect    = "Allow"
+        Principal = { AWS = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/cicd-member-user"] }
+        Action    = "s3:*"
+        Resource = [
+          aws_s3_bucket.upload_files.arn,
+          "${aws_s3_bucket.upload_files.arn}/*",
+        ]
+      },
+    ]
+  })
+}
+
+resource "aws_iam_role" "s3_uploads_role" {
+  name               = "${local.application_name}-s3-uploads-role"
+  assume_role_policy = data.aws_iam_policy_document.s3-access-policy.json
+  tags = merge(
+    local.tags,
+    {
+      Name = "${local.application_name}-s3-uploads-role"
+    }
+  )
+}
+
+data "aws_iam_policy_document" "s3-access-policy" {
+  version = "2012-10-17"
+  statement {
+    sid    = ""
+    effect = "Allow"
+    actions = [
+      "sts:AssumeRole",
+    ]
+    principals {
+      type = "Service"
+      identifiers = [
+        "rds.amazonaws.com",
+        "ec2.amazonaws.com",
+      ]
+    }
+  }
+}
+
+resource "aws_iam_policy" "s3-uploads-policy" {
+  name   = "${local.application_name}-s3-uploads-policy"
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+          "s3:*"
+      ],
+      "Resource": [
+          "${aws_s3_bucket.upload_files.arn}"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+          "s3:*"
+      ],
+      "Resource": [
+        "${aws_s3_bucket.upload_files.arn}/*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:GetEncryptionConfiguration"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+      "kms:Decrypt"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "s3_uploads_attachment" {
+  role       = aws_iam_role.s3_uploads_role.name
+  policy_arn = aws_iam_policy.s3-uploads-policy.arn
+}
+
+#-------------------------------------------------------------------------------------------------
+# S3 "landing" bucket for AP data transfer 
+# AP pipelines write to this bucket and the Performance Hub reads files from here. It doesn't need
+# complex retention versioning or replication since files are removed from this bucket once imported.
+#-------------------------------------------------------------------------------------------------
+
+module "ap_landing_bucket" {
+  source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
+
+  bucket_name          = "${local.application_name}-land-${local.environment}"
+  ownership_controls   = "BucketOwnerEnforced"
+
+  versioning_enabled   = false
+  replication_enabled  = false
+
+  providers = {
+    # Leave this provider block in even if you are not using replication
+    aws.bucket-replication = aws
+  }
+
+  custom_kms_key = aws_kms_key.s3.arn
+
+  lifecycle_rule = [
+    {
+      id      = "tf-s3-lifecycle-landing"
+      enabled = "Enabled"
+
+      expiration = {
+        days = 30
+      }
+    }
+  ]
+
+  tags = merge (
+    local.tags,
+    {
+        Name = "${local.application_name}-ap-landing-bucket"
+    }
+  )
+}
+
+# AP Airflow jobs are expecting certain folders to exist
+resource "aws_s3_object" "prison_incidents" {
+  bucket = module.ap_landing_bucket.bucket.id
+  key    = "prison_incidents/"
+}
+
+resource "aws_s3_object" "prison_performance" {
+  bucket = module.ap_landing_bucket.bucket.id
+  key    = "prison_performance/"
+}
+
+
+#------------------------------------------------------------------------------
+# KMS setup for S3
+#------------------------------------------------------------------------------
+
+resource "aws_kms_key" "s3" {
+  description         = "Encryption key for s3"
+  enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.s3-kms.json
+
+  tags = merge(
+    local.tags,
+    {
+      Name = "${local.application_name}-s3-kms"
+    }
+  )
+}
+
+resource "aws_kms_alias" "kms-alias" {
+  name          = "alias/s3"
+  target_key_id = aws_kms_key.s3.arn
+}
+
+data "aws_iam_policy_document" "s3-kms" {
+  #checkov:skip=CKV_AWS_111
+  #checkov:skip=CKV_AWS_109
+  statement {
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root", "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/cicd-member-user"]
+    }
+  }
+}
\ No newline at end of file