diff --git a/.gitignore b/.gitignore
index 5e036219..3044c946 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@ node_modules
 .env
 docker-compose.yml
 npm-debug.log
+.idea/
diff --git a/README.md b/README.md
index fd2ad143..0c843b73 100644
--- a/README.md
+++ b/README.md
@@ -99,6 +99,8 @@ There are a couple environment variables that can be used to tweak behavior:
 
 - `AWS_SECRET_ACCESS_KEY` (optional) – If you want to use Lookerbot to post visualization images, provide an Amazon S3 secret access key that can write to the provided bucket.
 
+You can find an example how to configure access to S3 bucket [here](s3-bucket-access.md)
+
 ###### Microsoft Azure
 
 - `AZURE_STORAGE_ACCOUNT` (optional) - If you want to use Microsoft Azure Storage to store visualization images posted by Lookerbot, provide the name of your Azure Storage account.
diff --git a/s3-bucket-access.md b/s3-bucket-access.md
new file mode 100644
index 00000000..3af297f6
--- /dev/null
+++ b/s3-bucket-access.md
@@ -0,0 +1,50 @@
+# AWS S3 Bucket access setup example
+
+To keep AWS infrastructure safe and out of risk to leak any data through Lookerbot account
+it is better to create dedicated AMI user, S3 Bucket and restrict access for the user only to the bucket.
+
+Here is an example how to achieve that:
+
+1. Create an S3 Bucket, f.ex. `lookerbot-s3-bucket`.<br />
+It should stay private. No special configuration required.
+
+2. Create an IAM policy, named f.ex `lookerbot-policy`, like
+    ```
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "s3:ListBucket"
+                ],
+                "Resource": [
+                    "arn:aws:s3:::lookerbot-s3-bucket"
+                ]
+            },
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "s3:PutObject",
+                    "s3:PutObjectAcl",
+                    "s3:GetObject",
+                    "s3:DeleteObject"
+                ],
+                "Resource": [
+                    "arn:aws:s3:::lookerbot-s3-bucket/*"
+                ]
+            }
+        ]
+    }
+     ```
+     The policy consists of 2 sections:
+     - first allows to list the bucket itself,
+     - seconds allows to put, get and delete objects in the bucket and to put object's ACL
+
+    More on ARN bucket names could be found on [AWS Docs](http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-s3)
+
+3. Create an IAM account, f.ex `lookerbot`. <br />
+Enable `Programmatic access` only.
+
+4. Go to the summary page for `lookerbot` user. <br />
+On `Permissions` section add `lookerbot-policy` to it.