diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml
index 44921ed9..6063d464 100644
--- a/.github/workflows/stage-1-commit.yaml
+++ b/.github/workflows/stage-1-commit.yaml
@@ -152,9 +152,16 @@ jobs:
     timeout-minutes: 10
     needs: detect-terraform-changes
     if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
+    env:
+      NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v5
+      - name: Setup NodeJS
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ inputs.nodejs_version }}
+          registry-url: 'https://npm.pkg.github.com'
       - name: "Setup ASDF"
         uses: asdf-vm/actions/setup@v4
       - name: "Perform Setup"
diff --git a/infrastructure/terraform/components/api/event_source_mapping_letter_updates.tf b/infrastructure/terraform/components/api/event_source_mapping_letter_updates.tf
index 219b01ad..5b83a9f2 100644
--- a/infrastructure/terraform/components/api/event_source_mapping_letter_updates.tf
+++ b/infrastructure/terraform/components/api/event_source_mapping_letter_updates.tf
@@ -1,11 +1,11 @@
 resource "aws_lambda_event_source_mapping" "letter_updates_transformer_kinesis" {
-  event_source_arn                     = aws_kinesis_stream.letter_change_stream.arn
-  function_name                        = module.letter_updates_transformer.function_arn
-  starting_position                    = "LATEST"
-  batch_size                           = 10
-  maximum_batching_window_in_seconds   = 1
+  event_source_arn                   = aws_kinesis_stream.letter_change_stream.arn
+  function_name                      = module.letter_updates_transformer.function_arn
+  starting_position                  = "LATEST"
+  batch_size                         = 10
+  maximum_batching_window_in_seconds = 1
 
   depends_on = [
-    module.letter_updates_transformer    # ensures updates transformer exists
+    module.letter_updates_transformer # ensures updates transformer exists
   ]
 }
diff --git a/infrastructure/terraform/components/api/locals.tf b/infrastructure/terraform/components/api/locals.tf
index bfadfd30..683156a0 100644
--- a/infrastructure/terraform/components/api/locals.tf
+++ b/infrastructure/terraform/components/api/locals.tf
@@ -28,4 +28,7 @@ locals {
     APIM_CORRELATION_HEADER  = "nhsd-correlation-id",
     DOWNLOAD_URL_TTL_SECONDS = 60
   }
+
+  core_pdf_bucket_arn        = "arn:aws:s3:::comms-${var.core_account_id}-eu-west-2-${var.core_environment}-api-stg-pdf-pipeline"
+  core_s3_kms_key_alias_name = "alias/comms-${var.core_environment}-api-s3"
 }
diff --git a/infrastructure/terraform/components/api/module_lambda_get_letter_data.tf b/infrastructure/terraform/components/api/module_lambda_get_letter_data.tf
index a1ac8ef7..1116336e 100644
--- a/infrastructure/terraform/components/api/module_lambda_get_letter_data.tf
+++ b/infrastructure/terraform/components/api/module_lambda_get_letter_data.tf
@@ -68,11 +68,43 @@ data "aws_iam_policy_document" "get_letter_data_lambda" {
     ]
   }
 
+  statement {
+    sid = "S3ListBucketForPresign"
+    actions = [
+      "s3:ListBucket"
+    ]
+    resources = [
+      module.s3bucket_test_letters.arn,
+      local.core_pdf_bucket_arn
+    ]
+  }
+
   statement {
     sid = "S3GetObjectForPresign"
     actions = [
       "s3:GetObject",
-    "s3:ListBucket"] # allows 404 response instead of 403 if object missing
-    resources = ["${module.s3bucket_test_letters.arn}/*"]
+      "s3:PutObject",
+    ] # allows 404 response instead of 403 if object missing
+    resources = [
+      "${module.s3bucket_test_letters.arn}/*",
+      "${local.core_pdf_bucket_arn}/*",
+    ]
+  }
+
+  statement {
+    sid = "KMSForCoreS3Access"
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
+      "kms:DescribeKey"
+    ]
+    resources = [
+      "arn:aws:kms:${var.region}:${var.core_account_id}:key/*"
+    ]
+    condition {
+      test     = "ForAnyValue:StringEquals"
+      variable = "kms:ResourceAliases"
+      values   = [local.core_s3_kms_key_alias_name]
+    }
   }
 }
diff --git a/infrastructure/terraform/components/api/variables.tf b/infrastructure/terraform/components/api/variables.tf
index 5c3bb9a8..d3843a29 100644
--- a/infrastructure/terraform/components/api/variables.tf
+++ b/infrastructure/terraform/components/api/variables.tf
@@ -134,3 +134,15 @@ variable "eventpub_control_plane_bus_arn" {
   description = "ARN of the EventBridge control plane bus for eventpub"
   default     = ""
 }
+
+variable "core_account_id" {
+  type        = string
+  description = "AWS Account ID for Core"
+  default     = "000000000000"
+}
+
+variable "core_environment" {
+  type        = string
+  description = "Environment of Core"
+  default     = "prod"
+}