diff --git a/.secrets.baseline b/.secrets.baseline
index 3e57585c..bc2ec1b9 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-11-28T08:21:42Z",
+  "generated_at": "2025-11-30T18:45:40Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -90,7 +90,7 @@
         "hashed_secret": "a7c93faaa770c377154ea9d4d0d17a9056dbfa95",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 194,
+        "line_number": 198,
         "type": "Secret Keyword",
         "verified_result": null
       }
diff --git a/README.md b/README.md
index 0d9c356d..1165d396 100644
--- a/README.md
+++ b/README.md
@@ -141,12 +141,15 @@ You need the following permissions to run this module.
 | [ibm_cos_bucket.cos_bucket1](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/cos_bucket) | resource |
 | [ibm_cos_bucket_lifecycle_configuration.cos_bucket_lifecycle](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/cos_bucket_lifecycle_configuration) | resource |
 | [ibm_cos_bucket_object_lock_configuration.lock_configuration](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/cos_bucket_object_lock_configuration) | resource |
+| [ibm_iam_access_group_policy.access_policy](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/iam_access_group_policy) | resource |
+| [ibm_iam_access_group_policy.access_policy1](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/iam_access_group_policy) | resource |
 | [ibm_iam_authorization_policy.policy](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
 | [ibm_resource_instance.cos_instance](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_instance) | resource |
 | [ibm_resource_key.resource_keys](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_key) | resource |
 | [ibm_resource_tag.cos_access_tag](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_tag) | resource |
 | [random_string.bucket_name_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [time_sleep.wait_for_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [ibm_iam_access_group.public_access_group](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/iam_access_group) | data source |
 
 ### Inputs
 
@@ -159,6 +162,7 @@ You need the following permissions to run this module.
 | <a name="input_activity_tracker_read_data_events"></a> [activity\_tracker\_read\_data\_events](#input\_activity\_tracker\_read\_data\_events) | If set to `true`, all Object Storage bucket read events (i.e. downloads) are sent to Activity Tracker Event Routing. | `bool` | `true` | no |
 | <a name="input_activity_tracker_write_data_events"></a> [activity\_tracker\_write\_data\_events](#input\_activity\_tracker\_write\_data\_events) | If set to `true`, all Object Storage bucket write events (i.e. uploads) are sent to Activity Tracker Event Routing. | `bool` | `true` | no |
 | <a name="input_add_bucket_name_suffix"></a> [add\_bucket\_name\_suffix](#input\_add\_bucket\_name\_suffix) | Whether to add a randomly generated 4-character suffix to the bucket name. | `bool` | `true` | no |
+| <a name="input_allow_public_access_to_buckets"></a> [allow\_public\_access\_to\_buckets](#input\_allow\_public\_access\_to\_buckets) | Set it to `true` to allow the cos bucket to be publicly accessible. | `bool` | `false` | no |
 | <a name="input_archive_days"></a> [archive\_days](#input\_archive\_days) | The number of days before the `archive_type` rule action takes effect. Applies only if `create_cos_bucket` is set to `true`. Set to `null` if you specify a bucket location in `cross_region_location` because archive data is not supported with cross-region buckets. If null is passed, no lifecycle configuration will be added for bucket archival. | `number` | `null` | no |
 | <a name="input_archive_filter_prefix"></a> [archive\_filter\_prefix](#input\_archive\_filter\_prefix) | Apply archive lifecycle rule to only objects with the following prefix. Applies to all objects by default. | `string` | `null` | no |
 | <a name="input_archive_type"></a> [archive\_type](#input\_archive\_type) | The storage class or archive type to which you want the object to transition. Possible values are `Glacier` or `Accelerated`. Applies only if `create_cos_bucket` is set to `true`. | `string` | `"Glacier"` | no |
diff --git a/ibm_catalog.json b/ibm_catalog.json
index 13ca7361..9c02838a 100644
--- a/ibm_catalog.json
+++ b/ibm_catalog.json
@@ -347,6 +347,9 @@
               "key": "bucket_name",
               "required": true
             },
+            {
+              "key": "allow_public_access_to_buckets"
+            },
             {
               "key": "provider_visibility",
               "hidden": true,
@@ -793,6 +796,9 @@
               "key": "bucket_name",
               "required": true
             },
+            {
+              "key": "allow_public_access_to_buckets"
+            },
             {
               "key": "add_bucket_name_suffix"
             },
@@ -1247,6 +1253,9 @@
               "key": "bucket_name",
               "required": true
             },
+            {
+              "key": "allow_public_access_to_buckets"
+            },
             {
               "key": "provider_visibility",
               "hidden": true,
@@ -1736,6 +1745,9 @@
               "key": "bucket_name",
               "required": true
             },
+            {
+              "key": "allow_public_access_to_buckets"
+            },
             {
               "key": "add_bucket_name_suffix"
             },
diff --git a/main.tf b/main.tf
index 727cb506..4b7a8a02 100644
--- a/main.tf
+++ b/main.tf
@@ -107,6 +107,11 @@ resource "ibm_iam_authorization_policy" "policy" {
   }
 }
 
+# use a data lookup to get the ID of the "Public Access" IAM access group
+data "ibm_iam_access_group" "public_access_group" {
+  access_group_name = "geretain-public-access"
+}
+
 # Create random string which is added to COS bucket name as a suffix
 resource "random_string" "bucket_name_suffix" {
   count   = var.add_bucket_name_suffix ? 1 : 0
@@ -121,10 +126,15 @@ resource "random_string" "bucket_name_suffix" {
 # - Monitoring
 # - Activity Tracking
 # - Versioning
+
+locals {
+  random_suffix = random_string.bucket_name_suffix[0].result
+}
+
 resource "ibm_cos_bucket" "cos_bucket" {
   count                 = (var.kms_encryption_enabled && var.create_cos_bucket) ? 1 : 0
   depends_on            = [time_sleep.wait_for_authorization_policy]
-  bucket_name           = var.add_bucket_name_suffix ? "${var.bucket_name}-${random_string.bucket_name_suffix[0].result}" : var.bucket_name
+  bucket_name           = var.add_bucket_name_suffix ? "${var.bucket_name}-${local.random_suffix}" : var.bucket_name
   resource_instance_id  = local.cos_instance_id
   region_location       = var.region
   cross_region_location = var.cross_region_location
@@ -174,6 +184,20 @@ resource "ibm_cos_bucket" "cos_bucket" {
   }
 }
 
+# create an IAM access policy to granting public access to this bucket
+resource "ibm_iam_access_group_policy" "access_policy" {
+  count           = (var.allow_public_access_to_buckets && var.kms_encryption_enabled && var.create_cos_bucket) ? 1 : 0
+  access_group_id = data.ibm_iam_access_group.public_access_group.groups[0].id
+  roles           = ["Object Reader"]
+
+  resources {
+    service              = "cloud-object-storage"
+    resource_type        = "bucket"
+    resource_instance_id = local.cos_instance_guid
+    resource             = var.add_bucket_name_suffix ? "${var.bucket_name}-${local.random_suffix}" : var.bucket_name
+  }
+}
+
 # Create COS bucket with:
 # - Retention
 # - Monitoring
@@ -181,9 +205,10 @@ resource "ibm_cos_bucket" "cos_bucket" {
 # - Versioning
 # Create COS bucket without:
 # - Encryption
+
 resource "ibm_cos_bucket" "cos_bucket1" {
   count                 = (!var.kms_encryption_enabled && var.create_cos_bucket) ? 1 : 0
-  bucket_name           = var.add_bucket_name_suffix ? "${var.bucket_name}-${random_string.bucket_name_suffix[0].result}" : var.bucket_name
+  bucket_name           = var.add_bucket_name_suffix ? "${var.bucket_name}-${local.random_suffix}" : var.bucket_name
   depends_on            = [time_sleep.wait_for_authorization_policy]
   resource_instance_id  = local.cos_instance_id
   region_location       = var.region
@@ -233,6 +258,20 @@ resource "ibm_cos_bucket" "cos_bucket1" {
   }
 }
 
+# create an IAM access policy to granting public access to this bucket
+resource "ibm_iam_access_group_policy" "access_policy1" {
+  count           = (var.allow_public_access_to_buckets && !var.kms_encryption_enabled && var.create_cos_bucket) ? 1 : 0
+  access_group_id = data.ibm_iam_access_group.public_access_group.groups[0].id
+  roles           = ["Object Reader"]
+
+  resources {
+    service              = "cloud-object-storage"
+    resource_type        = "bucket"
+    resource_instance_id = local.cos_instance_guid
+    resource             = var.add_bucket_name_suffix ? "${var.bucket_name}-${local.random_suffix}" : var.bucket_name
+  }
+}
+
 locals {
   expiration_or_archiving_or_noncurrent_version_expiration_rule_enabled = (length(local.expire_enabled) != 0 || length(local.archive_enabled) != 0 || length(local.noncurrent_version_expiration_enabled) != 0 || length(local.abort_multipart_enabled) != 0)
 
diff --git a/modules/buckets/README.md b/modules/buckets/README.md
index 01ea2f5b..a93bb320 100644
--- a/modules/buckets/README.md
+++ b/modules/buckets/README.md
@@ -82,7 +82,7 @@ You need the following permissions to run this module.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_bucket_configs"></a> [bucket\_configs](#input\_bucket\_configs) | The Object Storage bucket configurations. | <pre>list(object({<br/>    access_tags                   = optional(list(string), [])<br/>    add_bucket_name_suffix        = optional(bool, true)<br/>    bucket_name                   = string<br/>    kms_encryption_enabled        = optional(bool, true)<br/>    kms_guid                      = optional(string, null)<br/>    kms_key_crn                   = optional(string, null)<br/>    skip_iam_authorization_policy = optional(bool, false)<br/>    management_endpoint_type      = optional(string, "public")<br/>    cross_region_location         = optional(string, null)<br/>    storage_class                 = optional(string, "smart")<br/>    region_location               = optional(string, null)<br/>    resource_instance_id          = string<br/>    force_delete                  = optional(bool, true)<br/>    single_site_location          = optional(string, null)<br/>    hard_quota                    = optional(number, null)<br/>    object_locking_enabled        = optional(bool, false)<br/>    object_lock_duration_days     = optional(number, 0)<br/>    object_lock_duration_years    = optional(number, 0)<br/><br/>    activity_tracking = optional(object({<br/>      read_data_events  = optional(bool, true)<br/>      write_data_events = optional(bool, true)<br/>      management_events = optional(bool, true)<br/>    }))<br/>    archive_rule = optional(object({<br/>      enable                = optional(bool, false)<br/>      days                  = optional(number, null)<br/>      type                  = optional(string, "Glacier")<br/>      archive_filter_prefix = optional(string, null)<br/>    }))<br/>    expire_rule = optional(object({<br/>      enable               = optional(bool, false)<br/>      days                 = optional(number, null)<br/>      expire_filter_prefix = optional(string, null)<br/>    }))<br/>    abort_multipart_enabled_rule = optional(object({<br/>      enable                        = optional(bool, false)<br/>      days                          = optional(number, null)<br/>      abort_multipart_filter_prefix = optional(string, null)<br/>    }))<br/>    noncurrent_version_expiration_rule = optional(object({<br/>      enable                                      = optional(bool, false)<br/>      days                                        = optional(number, null)<br/>      noncurrent_version_expiration_filter_prefix = optional(string, null)<br/>    }))<br/>    metrics_monitoring = optional(object({<br/>      usage_metrics_enabled   = optional(bool, true)<br/>      request_metrics_enabled = optional(bool, true)<br/>      metrics_monitoring_crn  = optional(string, null)<br/>    }))<br/>    object_versioning = optional(object({<br/>      enable = optional(bool, false)<br/>    }))<br/>    retention_rule = optional(object({<br/>      default   = optional(number, 90)<br/>      maximum   = optional(number, 350)<br/>      minimum   = optional(number, 90)<br/>      permanent = optional(bool, false)<br/>    }))<br/>    cbr_rules = optional(list(object({<br/>      description = string<br/>      account_id  = string<br/>      rule_contexts = list(object({<br/>        attributes = optional(list(object({<br/>          name  = string<br/>          value = string<br/>      }))) }))<br/>      enforcement_mode = string<br/>      tags = optional(list(object({<br/>        name  = string<br/>        value = string<br/>      })), [])<br/>      operations = optional(list(object({<br/>        api_types = list(object({<br/>          api_type_id = string<br/>        }))<br/>      })))<br/>    })), [])<br/><br/>  }))</pre> | n/a | yes |
+| <a name="input_bucket_configs"></a> [bucket\_configs](#input\_bucket\_configs) | The Object Storage bucket configurations. | <pre>list(object({<br/>    access_tags                    = optional(list(string), [])<br/>    add_bucket_name_suffix         = optional(bool, true)<br/>    bucket_name                    = string<br/>    allow_public_access_to_buckets = optional(bool, false)<br/>    kms_encryption_enabled         = optional(bool, true)<br/>    kms_guid                       = optional(string, null)<br/>    kms_key_crn                    = optional(string, null)<br/>    skip_iam_authorization_policy  = optional(bool, false)<br/>    management_endpoint_type       = optional(string, "public")<br/>    cross_region_location          = optional(string, null)<br/>    storage_class                  = optional(string, "smart")<br/>    region_location                = optional(string, null)<br/>    resource_instance_id           = string<br/>    force_delete                   = optional(bool, true)<br/>    single_site_location           = optional(string, null)<br/>    hard_quota                     = optional(number, null)<br/>    object_locking_enabled         = optional(bool, false)<br/>    object_lock_duration_days      = optional(number, 0)<br/>    object_lock_duration_years     = optional(number, 0)<br/><br/>    activity_tracking = optional(object({<br/>      read_data_events  = optional(bool, true)<br/>      write_data_events = optional(bool, true)<br/>      management_events = optional(bool, true)<br/>    }))<br/>    archive_rule = optional(object({<br/>      enable                = optional(bool, false)<br/>      days                  = optional(number, null)<br/>      type                  = optional(string, "Glacier")<br/>      archive_filter_prefix = optional(string, null)<br/>    }))<br/>    expire_rule = optional(object({<br/>      enable               = optional(bool, false)<br/>      days                 = optional(number, null)<br/>      expire_filter_prefix = optional(string, null)<br/>    }))<br/>    abort_multipart_enabled_rule = optional(object({<br/>      enable                        = optional(bool, false)<br/>      days                          = optional(number, null)<br/>      abort_multipart_filter_prefix = optional(string, null)<br/>    }))<br/>    noncurrent_version_expiration_rule = optional(object({<br/>      enable                                      = optional(bool, false)<br/>      days                                        = optional(number, null)<br/>      noncurrent_version_expiration_filter_prefix = optional(string, null)<br/>    }))<br/>    metrics_monitoring = optional(object({<br/>      usage_metrics_enabled   = optional(bool, true)<br/>      request_metrics_enabled = optional(bool, true)<br/>      metrics_monitoring_crn  = optional(string, null)<br/>    }))<br/>    object_versioning = optional(object({<br/>      enable = optional(bool, false)<br/>    }))<br/>    retention_rule = optional(object({<br/>      default   = optional(number, 90)<br/>      maximum   = optional(number, 350)<br/>      minimum   = optional(number, 90)<br/>      permanent = optional(bool, false)<br/>    }))<br/>    cbr_rules = optional(list(object({<br/>      description = string<br/>      account_id  = string<br/>      rule_contexts = list(object({<br/>        attributes = optional(list(object({<br/>          name  = string<br/>          value = string<br/>      }))) }))<br/>      enforcement_mode = string<br/>      tags = optional(list(object({<br/>        name  = string<br/>        value = string<br/>      })), [])<br/>      operations = optional(list(object({<br/>        api_types = list(object({<br/>          api_type_id = string<br/>        }))<br/>      })))<br/>    })), [])<br/><br/>  }))</pre> | n/a | yes |
 
 ### Outputs
 
diff --git a/modules/buckets/main.tf b/modules/buckets/main.tf
index 913277ce..80779e81 100644
--- a/modules/buckets/main.tf
+++ b/modules/buckets/main.tf
@@ -70,14 +70,15 @@ module "buckets" {
     for index, bucket in var.bucket_configs :
     bucket.bucket_name => bucket
   }
-  depends_on                    = [time_sleep.wait_for_authorization_policy]
-  source                        = "../../"
-  bucket_name                   = each.value.bucket_name
-  create_cos_instance           = false
-  add_bucket_name_suffix        = each.value.add_bucket_name_suffix
-  skip_iam_authorization_policy = true
-  existing_cos_instance_id      = each.value.resource_instance_id
-  region                        = each.value.region_location
+  depends_on                     = [time_sleep.wait_for_authorization_policy]
+  source                         = "../../"
+  bucket_name                    = each.value.bucket_name
+  allow_public_access_to_buckets = each.value.allow_public_access_to_buckets
+  create_cos_instance            = false
+  add_bucket_name_suffix         = each.value.add_bucket_name_suffix
+  skip_iam_authorization_policy  = true
+  existing_cos_instance_id       = each.value.resource_instance_id
+  region                         = each.value.region_location
 
   cross_region_location               = each.value.cross_region_location
   single_site_location                = each.value.single_site_location
diff --git a/modules/buckets/variables.tf b/modules/buckets/variables.tf
index 9b943bd2..5e0dcbd6 100644
--- a/modules/buckets/variables.tf
+++ b/modules/buckets/variables.tf
@@ -7,24 +7,25 @@
 ##############################################################################
 variable "bucket_configs" {
   type = list(object({
-    access_tags                   = optional(list(string), [])
-    add_bucket_name_suffix        = optional(bool, true)
-    bucket_name                   = string
-    kms_encryption_enabled        = optional(bool, true)
-    kms_guid                      = optional(string, null)
-    kms_key_crn                   = optional(string, null)
-    skip_iam_authorization_policy = optional(bool, false)
-    management_endpoint_type      = optional(string, "public")
-    cross_region_location         = optional(string, null)
-    storage_class                 = optional(string, "smart")
-    region_location               = optional(string, null)
-    resource_instance_id          = string
-    force_delete                  = optional(bool, true)
-    single_site_location          = optional(string, null)
-    hard_quota                    = optional(number, null)
-    object_locking_enabled        = optional(bool, false)
-    object_lock_duration_days     = optional(number, 0)
-    object_lock_duration_years    = optional(number, 0)
+    access_tags                    = optional(list(string), [])
+    add_bucket_name_suffix         = optional(bool, true)
+    bucket_name                    = string
+    allow_public_access_to_buckets = optional(bool, false)
+    kms_encryption_enabled         = optional(bool, true)
+    kms_guid                       = optional(string, null)
+    kms_key_crn                    = optional(string, null)
+    skip_iam_authorization_policy  = optional(bool, false)
+    management_endpoint_type       = optional(string, "public")
+    cross_region_location          = optional(string, null)
+    storage_class                  = optional(string, "smart")
+    region_location                = optional(string, null)
+    resource_instance_id           = string
+    force_delete                   = optional(bool, true)
+    single_site_location           = optional(string, null)
+    hard_quota                     = optional(number, null)
+    object_locking_enabled         = optional(bool, false)
+    object_lock_duration_days      = optional(number, 0)
+    object_lock_duration_years     = optional(number, 0)
 
     activity_tracking = optional(object({
       read_data_events  = optional(bool, true)
diff --git a/solutions/cross-regional-bucket/fully-configurable/main.tf b/solutions/cross-regional-bucket/fully-configurable/main.tf
index 0aa5ebe3..9305c224 100644
--- a/solutions/cross-regional-bucket/fully-configurable/main.tf
+++ b/solutions/cross-regional-bucket/fully-configurable/main.tf
@@ -9,22 +9,23 @@ locals {
 locals {
 
   bucket_config = [{
-    access_tags                   = var.bucket_access_tags
-    bucket_name                   = "${local.prefix}${var.bucket_name}"
-    kms_encryption_enabled        = var.kms_encryption_enabled
-    add_bucket_name_suffix        = var.add_bucket_name_suffix
-    kms_guid                      = local.existing_kms_instance_guid
-    kms_key_crn                   = local.kms_key_crn
-    skip_iam_authorization_policy = local.create_cross_account_auth_policy || var.skip_cos_kms_iam_auth_policy
-    management_endpoint_type      = var.management_endpoint_type_for_bucket
-    cross_region_location         = var.cross_region_location
-    resource_instance_id          = var.existing_cos_instance_crn
-    storage_class                 = var.bucket_storage_class
-    force_delete                  = var.force_delete
-    hard_quota                    = var.bucket_hard_quota
-    object_locking_enabled        = var.enable_object_locking
-    object_lock_duration_days     = var.object_lock_duration_days
-    object_lock_duration_years    = var.object_lock_duration_years
+    access_tags                    = var.bucket_access_tags
+    bucket_name                    = "${local.prefix}${var.bucket_name}"
+    allow_public_access_to_buckets = var.allow_public_access_to_buckets
+    kms_encryption_enabled         = var.kms_encryption_enabled
+    add_bucket_name_suffix         = var.add_bucket_name_suffix
+    kms_guid                       = local.existing_kms_instance_guid
+    kms_key_crn                    = local.kms_key_crn
+    skip_iam_authorization_policy  = local.create_cross_account_auth_policy || var.skip_cos_kms_iam_auth_policy
+    management_endpoint_type       = var.management_endpoint_type_for_bucket
+    cross_region_location          = var.cross_region_location
+    resource_instance_id           = var.existing_cos_instance_crn
+    storage_class                  = var.bucket_storage_class
+    force_delete                   = var.force_delete
+    hard_quota                     = var.bucket_hard_quota
+    object_locking_enabled         = var.enable_object_locking
+    object_lock_duration_days      = var.object_lock_duration_days
+    object_lock_duration_years     = var.object_lock_duration_years
 
     activity_tracking = {
       read_data_events  = true
diff --git a/solutions/cross-regional-bucket/fully-configurable/variables.tf b/solutions/cross-regional-bucket/fully-configurable/variables.tf
index edf5c285..c4387595 100644
--- a/solutions/cross-regional-bucket/fully-configurable/variables.tf
+++ b/solutions/cross-regional-bucket/fully-configurable/variables.tf
@@ -122,6 +122,12 @@ variable "bucket_name" {
   description = "The name to give the newly provisioned Object Storage bucket."
 }
 
+variable "allow_public_access_to_buckets" {
+  type        = bool
+  description = "Set it to `true` to allow the cos bucket to be publicly accessible."
+  default     = false
+}
+
 variable "management_endpoint_type_for_bucket" {
   description = "The type of endpoint for the IBM terraform provider to manage the bucket. Possible values: `public`, `private`, `direct`."
   type        = string
diff --git a/solutions/cross-regional-bucket/security-enforced/main.tf b/solutions/cross-regional-bucket/security-enforced/main.tf
index 7eefb722..f41c8e4e 100644
--- a/solutions/cross-regional-bucket/security-enforced/main.tf
+++ b/solutions/cross-regional-bucket/security-enforced/main.tf
@@ -14,6 +14,7 @@ module "cross_regional_bucket" {
   existing_cos_instance_crn                   = var.existing_cos_instance_crn
   bucket_access_tags                          = var.bucket_access_tags
   bucket_name                                 = var.bucket_name
+  allow_public_access_to_buckets              = var.allow_public_access_to_buckets
   management_endpoint_type_for_bucket         = var.management_endpoint_type_for_bucket
   cross_region_location                       = var.cross_region_location
   bucket_storage_class                        = var.bucket_storage_class
diff --git a/solutions/cross-regional-bucket/security-enforced/variables.tf b/solutions/cross-regional-bucket/security-enforced/variables.tf
index 585162cb..900f99c2 100644
--- a/solutions/cross-regional-bucket/security-enforced/variables.tf
+++ b/solutions/cross-regional-bucket/security-enforced/variables.tf
@@ -96,6 +96,12 @@ variable "bucket_name" {
   description = "The name to give the newly provisioned Object Storage bucket."
 }
 
+variable "allow_public_access_to_buckets" {
+  type        = bool
+  description = "Set it to `true` to allow the cos bucket to be publicly accessible."
+  default     = false
+}
+
 variable "management_endpoint_type_for_bucket" {
   description = "The type of endpoint for the IBM terraform provider to manage the bucket. Possible values:  `private`, `direct`."
   type        = string
diff --git a/solutions/regional-bucket/fully-configurable/main.tf b/solutions/regional-bucket/fully-configurable/main.tf
index 26972051..eefc0e72 100644
--- a/solutions/regional-bucket/fully-configurable/main.tf
+++ b/solutions/regional-bucket/fully-configurable/main.tf
@@ -8,22 +8,23 @@ locals {
 locals {
 
   bucket_config = [{
-    access_tags                   = var.bucket_access_tags
-    bucket_name                   = "${local.prefix}${var.bucket_name}"
-    kms_encryption_enabled        = var.kms_encryption_enabled
-    add_bucket_name_suffix        = var.add_bucket_name_suffix
-    kms_guid                      = local.existing_kms_instance_guid
-    kms_key_crn                   = local.kms_key_crn
-    skip_iam_authorization_policy = local.create_cross_account_auth_policy || var.skip_cos_kms_iam_auth_policy
-    management_endpoint_type      = var.management_endpoint_type_for_bucket
-    region_location               = var.region
-    resource_instance_id          = var.existing_cos_instance_crn
-    storage_class                 = var.bucket_storage_class
-    force_delete                  = var.force_delete
-    hard_quota                    = var.bucket_hard_quota
-    object_locking_enabled        = var.enable_object_locking
-    object_lock_duration_days     = var.object_lock_duration_days
-    object_lock_duration_years    = var.object_lock_duration_years
+    access_tags                    = var.bucket_access_tags
+    bucket_name                    = "${local.prefix}${var.bucket_name}"
+    allow_public_access_to_buckets = var.allow_public_access_to_buckets
+    kms_encryption_enabled         = var.kms_encryption_enabled
+    add_bucket_name_suffix         = var.add_bucket_name_suffix
+    kms_guid                       = local.existing_kms_instance_guid
+    kms_key_crn                    = local.kms_key_crn
+    skip_iam_authorization_policy  = local.create_cross_account_auth_policy || var.skip_cos_kms_iam_auth_policy
+    management_endpoint_type       = var.management_endpoint_type_for_bucket
+    region_location                = var.region
+    resource_instance_id           = var.existing_cos_instance_crn
+    storage_class                  = var.bucket_storage_class
+    force_delete                   = var.force_delete
+    hard_quota                     = var.bucket_hard_quota
+    object_locking_enabled         = var.enable_object_locking
+    object_lock_duration_days      = var.object_lock_duration_days
+    object_lock_duration_years     = var.object_lock_duration_years
 
     activity_tracking = {
       read_data_events  = true
diff --git a/solutions/regional-bucket/fully-configurable/variables.tf b/solutions/regional-bucket/fully-configurable/variables.tf
index 600a3af4..4a8d64ac 100644
--- a/solutions/regional-bucket/fully-configurable/variables.tf
+++ b/solutions/regional-bucket/fully-configurable/variables.tf
@@ -132,6 +132,12 @@ variable "bucket_name" {
   description = "The name to give the newly provisioned Object Storage bucket."
 }
 
+variable "allow_public_access_to_buckets" {
+  type        = bool
+  description = "Set it to `true` to allow the cos bucket to be publicly accessible."
+  default     = false
+}
+
 variable "management_endpoint_type_for_bucket" {
   description = "The type of endpoint for the IBM terraform provider to manage the bucket. Possible values: `public`, `private`, `direct`."
   type        = string
diff --git a/solutions/regional-bucket/security-enforced/main.tf b/solutions/regional-bucket/security-enforced/main.tf
index 7d470e9a..a21a6c21 100644
--- a/solutions/regional-bucket/security-enforced/main.tf
+++ b/solutions/regional-bucket/security-enforced/main.tf
@@ -14,6 +14,7 @@ module "regional_bucket" {
   existing_cos_instance_crn                   = var.existing_cos_instance_crn
   bucket_access_tags                          = var.bucket_access_tags
   bucket_name                                 = var.bucket_name
+  allow_public_access_to_buckets              = var.allow_public_access_to_buckets
   management_endpoint_type_for_bucket         = var.management_endpoint_type_for_bucket
   region                                      = var.region
   bucket_storage_class                        = var.bucket_storage_class
diff --git a/solutions/regional-bucket/security-enforced/variables.tf b/solutions/regional-bucket/security-enforced/variables.tf
index 83428b8b..254b6be6 100644
--- a/solutions/regional-bucket/security-enforced/variables.tf
+++ b/solutions/regional-bucket/security-enforced/variables.tf
@@ -105,6 +105,12 @@ variable "bucket_name" {
   description = "The name to give the newly provisioned Object Storage bucket."
 }
 
+variable "allow_public_access_to_buckets" {
+  type        = bool
+  description = "Set it to `true` to allow the cos bucket to be publicly accessible."
+  default     = false
+}
+
 variable "management_endpoint_type_for_bucket" {
   description = "The type of endpoint for the IBM terraform provider to manage the bucket. Possible values:  `private`, `direct`."
   type        = string
diff --git a/tests/pr_test.go b/tests/pr_test.go
index 028bc76a..5c290d88 100644
--- a/tests/pr_test.go
+++ b/tests/pr_test.go
@@ -455,6 +455,7 @@ func TestRunCrossRegionalFullyConfigurableSchematics(t *testing.T) {
 		{Name: "prefix", Value: options.Prefix, DataType: "string"},
 		{Name: "existing_cos_instance_crn", Value: permanentResources["general_test_storage_cos_instance_crn"], DataType: "string"},
 		{Name: "bucket_name", Value: "cr-bucket", DataType: "string"},
+		{Name: "allow_public_access_to_buckets", Value: true, DataType: "bool"},
 	}
 
 	err := options.RunSchematicTest()
diff --git a/variables.tf b/variables.tf
index ac6575ae..3f2dfa05 100644
--- a/variables.tf
+++ b/variables.tf
@@ -149,6 +149,12 @@ variable "bucket_name" {
   }
 }
 
+variable "allow_public_access_to_buckets" {
+  type        = bool
+  description = "Set it to `true` to allow the cos bucket to be publicly accessible."
+  default     = false
+}
+
 variable "add_bucket_name_suffix" {
   type        = bool
   description = "Whether to add a randomly generated 4-character suffix to the bucket name."