diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site.stack.yml
index 0a46be73793..d1bc9cfab31 100644
--- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site.stack.yml
+++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site.stack.yml
@@ -213,7 +213,7 @@ Resources:
             Next: CopyFiles
           CopyFiles:
             Type: Map
-            End: true
+            Next: InvalidateCache
             ItemsPath: $.GetMappingFile.files
             ItemProcessor:
               ProcessorConfig:
@@ -251,6 +251,18 @@ Resources:
                     # Required otherwise ContentType won't be applied.
                     # See https://github.com/aws/aws-sdk-js/issues/1092 for more.
                     MetadataDirective: 'REPLACE'
+          InvalidateCache:
+            Type: Task
+            End: true
+            Resource: arn:aws:states:::aws-sdk:cloudfront:createInvalidation
+            Parameters:
+              DistributionId: !Ref CloudFrontDistribution
+              InvalidationBatch:
+                CallerReference.$: States.UUID()
+                Paths:
+                  Quantity: 1
+                  Items:
+                    - "/*"
 
   CopyAssetsStateMachineRole:
     Metadata:
@@ -283,6 +295,37 @@ Resources:
                 Action:
                   - s3:PutObject
                 Resource: !Sub arn:aws:s3:::${Bucket}/*
+        - PolicyName: CacheInvalidation
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Effect: Allow
+                Action:
+                  - acm:ListCertificates
+                  - cloudfront:GetDistribution
+                  - cloudfront:GetStreamingDistribution
+                  - cloudfront:GetDistributionConfig
+                  - cloudfront:ListDistributions
+                  - cloudfront:ListCloudFrontOriginAccessIdentities
+                  - cloudfront:CreateInvalidation
+                  - cloudfront:GetInvalidation
+                  - cloudfront:ListInvalidations
+                  - elasticloadbalancing:DescribeLoadBalancers
+                  - iam:ListServerCertificates
+                  - sns:ListSubscriptionsByTopic
+                  - sns:ListTopics
+                  - waf:GetWebACL
+                  - waf:ListWebACLs
+                Resource: "*"
+                Condition:
+                  StringEquals:
+                    'aws:ResourceTag/copilot-application': !Sub '${AppName}'
+                    'aws:ResourceTag/copilot-environment': !Sub '${EnvName}'
+                    'aws:ResourceTag/copilot-service': !Sub '${WorkloadName}'
+              - Effect: Allow
+                Action:
+                  - s3:ListAllMyBuckets
+                Resource: arn:aws:s3:::*
 
   EnvManagerS3Access:
     Metadata:
diff --git a/internal/pkg/template/templates/workloads/services/static-site/cf.yml b/internal/pkg/template/templates/workloads/services/static-site/cf.yml
index fd29fbfa1e7..527932ec323 100644
--- a/internal/pkg/template/templates/workloads/services/static-site/cf.yml
+++ b/internal/pkg/template/templates/workloads/services/static-site/cf.yml
@@ -245,7 +245,7 @@ Resources:
             Next: CopyFiles
           CopyFiles:
             Type: Map
-            End: true
+            Next: InvalidateCache
             ItemsPath: $.GetMappingFile.files
             ItemProcessor:
               ProcessorConfig:
@@ -283,6 +283,18 @@ Resources:
                     # Required otherwise ContentType won't be applied.
                     # See https://github.com/aws/aws-sdk-js/issues/1092 for more.
                     MetadataDirective: "REPLACE"
+          InvalidateCache:
+            Type: Task
+            End: true
+            Resource: arn:aws:states:::aws-sdk:cloudfront:createInvalidation
+            Parameters:
+              DistributionId: !Ref CloudFrontDistribution
+              InvalidationBatch:
+                CallerReference.$: States.UUID()
+                Paths:
+                  Quantity: 1
+                  Items:
+                    - "/*"
 
   CopyAssetsStateMachineRole:
     Metadata:
@@ -318,6 +330,38 @@ Resources:
                 Action:
                   - s3:PutObject
                 Resource: !Sub arn:aws:s3:::${Bucket}/*
+        - PolicyName: CacheInvalidation
+        # https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/security_iam_id-based-policy-examples.html
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Effect: Allow
+                Action:
+                  - acm:ListCertificates
+                  - cloudfront:GetDistribution
+                  - cloudfront:GetStreamingDistribution
+                  - cloudfront:GetDistributionConfig
+                  - cloudfront:ListDistributions
+                  - cloudfront:ListCloudFrontOriginAccessIdentities
+                  - cloudfront:CreateInvalidation
+                  - cloudfront:GetInvalidation
+                  - cloudfront:ListInvalidations
+                  - elasticloadbalancing:DescribeLoadBalancers
+                  - iam:ListServerCertificates
+                  - sns:ListSubscriptionsByTopic
+                  - sns:ListTopics
+                  - waf:GetWebACL
+                  - waf:ListWebACLs
+                Resource: "*"
+                Condition:
+                  StringEquals:
+                    'aws:ResourceTag/copilot-application': !Sub '${AppName}'
+                    'aws:ResourceTag/copilot-environment': !Sub '${EnvName}'
+                    'aws:ResourceTag/copilot-service': !Sub '${WorkloadName}'
+              - Effect: Allow
+                Action:
+                  - s3:ListAllMyBuckets
+                Resource: arn:aws:s3:::*
 
   EnvManagerS3Access:
     Metadata: