diff --git a/data.tf b/data.tf
index d247825..0c1add9 100644
--- a/data.tf
+++ b/data.tf
@@ -95,8 +95,10 @@ data "aws_iam_policy_document" "knowledgebase_permissions" {
   }
   statement {
     actions = ["s3:GetObject"]
-    resources = [
+    resources = var.s3_configuration.inclusion_prefixes == null ? [
       "${var.s3_configuration.bucket_arn}/*"
+      ] : [for prefix in var.s3_configuration.inclusion_prefixes :
+      "${var.s3_configuration.bucket_arn}/${prefix}*"
     ]
     condition {
       test     = "StringEquals"
diff --git a/variables.tf b/variables.tf
index 6ebd986..975071b 100644
--- a/variables.tf
+++ b/variables.tf
@@ -54,6 +54,11 @@ variable "s3_configuration" {
     bucket_owner_account_id = optional(string)
     inclusion_prefixes      = optional(set(string))
   })
+
+  validation {
+    condition     = var.s3_configuration.inclusion_prefixes == null ? true : length(var.s3_configuration.inclusion_prefixes) == 1
+    error_message = "For now s3 data source support only one prefix."
+  }
 }
 
 variable "oss_collection_name" {