diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go
index 7cb3fd29a8cad..77a7fd55cf98f 100644
--- a/pkg/model/iam/iam_builder.go
+++ b/pkg/model/iam/iam_builder.go
@@ -410,7 +410,7 @@ func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error) {
 
 			if b.Cluster.Spec.CloudProvider == string(kops.CloudProviderAWS) {
 				splitPath := strings.Split(strings.TrimSuffix(vfs.Path(), "/"), "/")
-				bucket := splitPath[len(splitPath)-1]
+				bucket := splitPath[len(splitPath)-2]
 
 				p = b.buildAWSPolicy(p, bucket, vfs.Base())
 			} else {
@@ -445,8 +445,8 @@ func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error) {
 				// Tests -ignore - nothing we can do in terms of IAM policy
 				splitPath := strings.Split(strings.TrimSuffix(vfs.Path(), "/"), "/")
 
-				bucket := strings.TrimSuffix(splitPath[len(splitPath)-1], "/")
-				iamS3Path := strings.Join([]string{bucket, "/", vfs.Base()}, "/")
+				bucket := strings.TrimSuffix(splitPath[len(splitPath)-2], "/")
+				iamS3Path := strings.Join([]string{bucket, vfs.Base()}, "/")
 
 				p.Statement = append(p.Statement, &Statement{
 					Effect: StatementEffectAllow,