diff --git a/config/clusters/iam.tf b/config/clusters/iam.tf
index cf0b7e6201..0ab6a65618 100644
--- a/config/clusters/iam.tf
+++ b/config/clusters/iam.tf
@@ -270,6 +270,26 @@ module "test-infra_reader" {
   ]
   policies = {
     test-infra_read_access = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+    test-infra_state_lock  = "${aws_iam_policy.test-infra_state_lock.arn}"
+  }
+}
+
+resource "aws_iam_policy" "test-infra_state_lock" {
+  name_prefix = "github_actions-test-infra-cluster"
+  description = "Access policy for test-infra Terraform remote state lock"
+  policy      = data.aws_iam_policy_document.test-infra_state_lock.json
+}
+
+data "aws_iam_policy_document" "test-infra_state_lock" {
+  statement {
+    sid    = "DeployTestInfraClusterAccess"
+    effect = "Allow"
+    actions = [
+      "dynamodb:PutItem"
+    ]
+    resources = [
+      "arn:aws:dynamodb:::table/${var.state_dynamodb_table_name}"
+    ]
   }
 }
 
diff --git a/config/clusters/iam_variables.tf b/config/clusters/iam_variables.tf
new file mode 100644
index 0000000000..5d6043dc2f
--- /dev/null
+++ b/config/clusters/iam_variables.tf
@@ -0,0 +1,5 @@
+variable "state_dynamodb_table_name" {
+  type        = string
+  description = "The name of the DynamoDB table for the Terraform state"
+  default     = "falco-test-infra-state-lock"
+}