diff --git a/s3/tests/unit.tftest.hcl b/s3/tests/unit.tftest.hcl
index aff2f4ff..d7442f26 100644
--- a/s3/tests/unit.tftest.hcl
+++ b/s3/tests/unit.tftest.hcl
@@ -442,7 +442,6 @@ run "aws_s3_bucket_external_role_access_invalid_cyber_sign_off" {
   expect_failures = [var.config.external_role_access.cyber_sign_off_by]
 }
 
-# TODO assert on the condtion stringLike "arn:aws:iam::${var.config.cross_environment_service_access.test-access.account}:role/${statement.value.application}-${statement.value.environment}-${statement.value.service}-TaskRole-*"
 run "aws_s3_bucket_cross_environment_service_access_read_write_unit_test" {
   command = plan
 
@@ -469,6 +468,22 @@ run "aws_s3_bucket_cross_environment_service_access_read_write_unit_test" {
     error_message = "Should be: Allow"
   }
 
+  assert {
+    condition     = length([for item in data.aws_iam_policy_document.bucket-policy.statement[1].condition : item if item.test == "StringLike"]) == 1
+    error_message = "condition should have a test: StringLike attribute"
+  }
+
+  assert {
+    condition     = length([for item in data.aws_iam_policy_document.bucket-policy.statement[1].condition : item if item.variable == "aws:PrincipalArn"]) == 1
+    error_message = "condition should have a variable: aws:PrincipalArn attribute"
+  }
+
+  assert {
+    condition = length([for item in data.aws_iam_policy_document.bucket-policy.statement[1].condition :
+    item if item.values == tolist(["arn:aws:iam::123456789012:role/app-test-service-TaskRole-*"])]) == 1
+    error_message = "condition should have a values: [bucket arn] attribute"
+  }
+
   assert {
     condition = alltrue([
       contains(data.aws_iam_policy_document.bucket-policy.statement[1].actions, "s3:Get*"),
diff --git a/s3/variables.tf b/s3/variables.tf
index 7b6b4c1d..a3aac2d5 100644
--- a/s3/variables.tf
+++ b/s3/variables.tf
@@ -82,7 +82,6 @@ variable "config" {
   validation {
     condition = var.config.cross_environment_service_access == null ? true : alltrue([
       for k, v in var.config.cross_environment_service_access : (can(regex("^[\\w\\-\\.]+@(businessandtrade.gov.uk|digital.trade.gov.uk)$", v.cyber_sign_off_by)))
-      # ((length(k) <= 63) && (length(k) >= 3))
     ])
     error_message = "All instances of cross_environment_service_access must be approved by cyber, and a cyber rep's email address entered."
   }