diff --git a/src/ol_infrastructure/applications/micromasters/Pulumi.applications.micromasters.Production.yaml b/src/ol_infrastructure/applications/micromasters/Pulumi.applications.micromasters.Production.yaml
new file mode 100644
index 000000000..ee064b327
--- /dev/null
+++ b/src/ol_infrastructure/applications/micromasters/Pulumi.applications.micromasters.Production.yaml
@@ -0,0 +1,11 @@
+---
+secretsprovider: awskms://alias/infrastructure-secrets-production
+encryptedkey: AQICAHg/+QzF9hGIaoayDitgnEVHEhuaANONVQQOnqpkIsol1gESTkymogFx44vfI8GgDVnMAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMOEBGMo6fxI9utvJEAgEQgDvEhgY3IKeQ/Tao4skYoKildxCd5+x4WRnSTU86KZ5yc9v/VoGATjH7QE6NHKfHO0fWsEmD4mW8xCMIXg==
+config:
+  aws:region: us-east-1
+  consul:address: https://consul-apps-production.odl.mit.edu
+  consul:scheme: https
+  micromasters:db_password:
+    secure: v1:KuHLKayQ3w6kG9M6:lh+RY/EMrc92HVO60psz6lD6DlYAmf5wWHdWr80yY/Q+L54KMGytwmTLi59lo8xfBZveqwS7S5MyT2U=
+  vault:address: https://vault-production.odl.mit.edu
+  vault_server:env_namespace: operations.production
diff --git a/src/ol_infrastructure/applications/micromasters/__main__.py b/src/ol_infrastructure/applications/micromasters/__main__.py
index 43bb68f1c..619472148 100644
--- a/src/ol_infrastructure/applications/micromasters/__main__.py
+++ b/src/ol_infrastructure/applications/micromasters/__main__.py
@@ -5,7 +5,6 @@
 - Create an IAM policy to grant access to S3 and other resources
 """
 
-import json
 
 import pulumi_vault as vault
 from pulumi import Config, StackReference, export
@@ -51,25 +50,6 @@
     ),
     tags=aws_config.tags,
     acl="private",
-    policy=json.dumps(
-        {
-            "Version": "2012-10-17",
-            "Statement": [
-                {
-                    "Effect": "Allow",
-                    "Action": [
-                        "s3:GetObject",
-                        "s3:ListAllMyBuckets",
-                        "s3:ListBucket",
-                        "s3:ListObjects",
-                        "s3:PutObject",
-                        "s3:DeleteObject",
-                    ],
-                    "Resource": [f"arn:aws:s3:::{micromasters_bucket_name}/*"],
-                }
-            ],
-        }
-    ),
     cors_rules=[{"allowedMethods": ["GET", "HEAD"], "allowedOrigins": ["*"]}],
 )
 
@@ -91,7 +71,6 @@
                 },
                 {
                     "Effect": "Allow",
-                    "Principal": "*",
                     "Action": [
                         "s3:ListBucket*",
                         "s3:PutObject",