diff --git a/elasticsearch_domain.tf b/elasticsearch_domain.tf
index 2d3071e..9c4cc7f 100644
--- a/elasticsearch_domain.tf
+++ b/elasticsearch_domain.tf
@@ -3,9 +3,9 @@
 #
 
 resource "aws_elasticsearch_domain_policy" "default" {
-  count           = local.elasticsearch_enabled && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0) ? 1 : 0
+  count           = local.elasticsearch_enabled && (length(var.iam_authorizing_role_arns) > 0 || length(var.iam_role_arns) > 0 || length(var.access_policies) > 0) ? 1 : 0
   domain_name     = module.this.id
-  access_policies = join("", data.aws_iam_policy_document.default[*].json)
+  access_policies = coalesce(var.access_policies, join("", data.aws_iam_policy_document.default[*].json))
 }
 
 resource "aws_elasticsearch_domain" "default" {
diff --git a/variables.tf b/variables.tf
index 805bf70..c70f5ee 100644
--- a/variables.tf
+++ b/variables.tf
@@ -448,3 +448,12 @@ variable "auto_tune" {
   }
 }
 
+variable "access_policies" {
+  description = "JSON string for the IAM policy document specifying the access policies for the domain."
+  type        = string
+  default     = ""
+  validation {
+    condition     = var.access_policies == "" || try(jsondecode(var.access_policies), null) != null
+    error_message = "The access_policies JSON string is not valid."
+  }
+}