diff --git a/infrastructure/terraform/modules/eventpub/README.md b/infrastructure/terraform/modules/eventpub/README.md
index 96a9a6c..d9811dc 100644
--- a/infrastructure/terraform/modules/eventpub/README.md
+++ b/infrastructure/terraform/modules/eventpub/README.md
@@ -30,6 +30,7 @@
 | <a name="input_event_anomaly_period"></a> [event\_anomaly\_period](#input\_event\_anomaly\_period) | The period in seconds over which the specified statistic is applied for anomaly detection. Minimum 300 seconds (5 minutes). Recommended: 300-600. | `number` | `300` | no |
 | <a name="input_event_cache_buffer_interval"></a> [event\_cache\_buffer\_interval](#input\_event\_cache\_buffer\_interval) | The buffer interval for data firehose | `number` | `500` | no |
 | <a name="input_event_cache_expiry_days"></a> [event\_cache\_expiry\_days](#input\_event\_cache\_expiry\_days) | s3 archiving expiry in days | `number` | `30` | no |
+| <a name="input_event_cache_restrict_data_access"></a> [event\_cache\_restrict\_data\_access](#input\_event\_cache\_restrict\_data\_access) | Whether to restrict access to data in the event cache bucket | `bool` | `false` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | When enabled will force destroy event-cache S3 bucket | `bool` | `false` | no |
 | <a name="input_group"></a> [group](#input\_group) | The name of the tfscaffold group | `string` | `null` | no |
 | <a name="input_iam_permissions_boundary_arn"></a> [iam\_permissions\_boundary\_arn](#input\_iam\_permissions\_boundary\_arn) | The ARN of the permissions boundary to use for the IAM role | `string` | `null` | no |
diff --git a/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf b/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf
index 4124502..88758a7 100644
--- a/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf
+++ b/infrastructure/terraform/modules/eventpub/module_s3bucket_event_cache.tf
@@ -1,5 +1,5 @@
 module "s3bucket_event_cache" {
-  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.3/terraform-s3bucket.zip"
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/4.0.5/terraform-s3bucket.zip"
 
   count = var.enable_event_cache ? 1 : 0
 
@@ -14,6 +14,7 @@ module "s3bucket_event_cache" {
   acl           = "private"
   force_destroy = var.force_destroy
   versioning    = true
+  enable_abac   = var.event_cache_restrict_data_access
 
   lifecycle_rules = [
     {
@@ -54,7 +55,8 @@ module "s3bucket_event_cache" {
   }
 
   default_tags = {
-    Name = "Event Cache Storage"
+    Name                = "Event Cache Storage"
+    NHSE-RESTRICTED-PID = var.event_cache_restrict_data_access ? "True" : "False"
   }
 }
 
diff --git a/infrastructure/terraform/modules/eventpub/variables.tf b/infrastructure/terraform/modules/eventpub/variables.tf
index b27052f..e4747d6 100644
--- a/infrastructure/terraform/modules/eventpub/variables.tf
+++ b/infrastructure/terraform/modules/eventpub/variables.tf
@@ -97,6 +97,12 @@ variable "enable_event_cache" {
   default     = false
 }
 
+variable "event_cache_restrict_data_access" {
+  type        = bool
+  description = "Whether to restrict access to data in the event cache bucket"
+  default     = false
+}
+
 variable "enable_firehose_raw_message_delivery" {
   type        = bool
   description = "Enables raw message delivery on firehose subscription"