diff --git a/README.md b/README.md
index 948b90d8..5f08f9c1 100644
--- a/README.md
+++ b/README.md
@@ -52,6 +52,7 @@ The AWS account must already have the landing-zone or StackSet network in place
 - the expected VPC and subnets must therefore already exist
 - the private subnets must be tagged so the module lookups can find them, for example with names matching `*private*`
 - if you plan to deploy the frontend custom domain, the matching Route53 hosted zone must also already exist
+- the S3 Terraform state bucket should have bucket versioning enabled, because the repo uses the S3 backend lockfile path rather than DynamoDB state locking
 
 If those shared network or DNS resources do not exist yet, the infra applies in this repo will fail during data lookup or certificate/DNS creation.
 
diff --git a/infra/modules/aws/_shared/oidc/README.md b/infra/modules/aws/_shared/oidc/README.md
index 75e23d01..fafbb1a8 100644
--- a/infra/modules/aws/_shared/oidc/README.md
+++ b/infra/modules/aws/_shared/oidc/README.md
@@ -19,7 +19,7 @@ This repo vendors the module locally so the live `aws/oidc` stacks do not depend
 ## Requirements
 
 - the AWS account must already contain the IAM OIDC provider for `https://token.actions.githubusercontent.com`
-- the Terragrunt caller must provide the state bucket and DynamoDB lock table names
+- the Terragrunt caller must provide the state bucket name
 - caller policy scope is controlled by `allowed_role_actions` and `allowed_role_resources`
 
 ## Repo Contract
@@ -58,7 +58,6 @@ The `ci` role is not the repo's general deploy role. If a workflow needs deploy
 - `allowed_role_actions`
 - `allowed_role_resources`
 - `state_bucket`
-- `state_lock_table`
 
 In this repo, `deploy_role_name` is not set directly in each live `aws/oidc` stack. It is derived in `infra/root.hcl` and passed in through shared Terragrunt inputs:
 
diff --git a/infra/modules/aws/_shared/oidc/data.tf b/infra/modules/aws/_shared/oidc/data.tf
index 5dda9da9..f7c0640c 100644
--- a/infra/modules/aws/_shared/oidc/data.tf
+++ b/infra/modules/aws/_shared/oidc/data.tf
@@ -76,10 +76,6 @@ data "aws_s3_bucket" "tf_state_bucket" {
   bucket = var.state_bucket
 }
 
-data "aws_dynamodb_table" "tf_lock_table" {
-  name = var.state_lock_table
-}
-
 data "aws_iam_policy_document" "state_management" {
   statement {
     sid     = "AllowS3StateManagement"
@@ -89,12 +85,4 @@ data "aws_iam_policy_document" "state_management" {
       "${data.aws_s3_bucket.tf_state_bucket.arn}/*"
     ]
   }
-
-  statement {
-    sid     = "AllowDynamodbLockManagemnt"
-    actions = local.dyanamodb_state_actions
-    resources = [
-      data.aws_dynamodb_table.tf_lock_table.arn
-    ]
-  }
 }
diff --git a/infra/modules/aws/_shared/oidc/locals.tf b/infra/modules/aws/_shared/oidc/locals.tf
index 08cd16d0..011f9798 100644
--- a/infra/modules/aws/_shared/oidc/locals.tf
+++ b/infra/modules/aws/_shared/oidc/locals.tf
@@ -27,16 +27,6 @@ locals {
     "s3:PutObject",
     "s3:DeleteObject",
   ]
-  dyanamodb_state_actions = [
-    "dynamodb:ListTables",
-    "dynamodb:DescribeTable",
-    "dynamodb:GetItem",
-    "dynamodb:PutItem",
-    "dynamodb:DeleteItem",
-    "dynamodb:DescribeContinuousBackups",
-    "dynamodb:DescribeTimeToLive",
-    "dynamodb:ListTagsOfResource"
-  ]
   oidc_management_actions = [
     "iam:GetOpenIDConnectProvider"
   ]
diff --git a/infra/modules/aws/_shared/oidc/variables.tf b/infra/modules/aws/_shared/oidc/variables.tf
index 28820872..8b424b65 100644
--- a/infra/modules/aws/_shared/oidc/variables.tf
+++ b/infra/modules/aws/_shared/oidc/variables.tf
@@ -13,11 +13,6 @@ variable "state_bucket" {
   type        = string
 }
 
-variable "state_lock_table" {
-  description = "Name of dynamo db terraform state lock table - used to allow state locking in ci deployments"
-  type        = string
-}
-
 variable "deploy_branches" {
   type        = list(string)
   description = "The target repo branches for OIDC access i.e main or feature/this"
@@ -44,7 +39,7 @@ variable "allow_deployments" {
 
 variable "allowed_role_actions" {
   type        = list(string)
-  description = "The action(s) to be allowed i.e. [ 's3:*', 'dynamodb:*/' ]"
+  description = "The action(s) to be allowed i.e. [ 's3:*', 'iam:*' ]"
   default     = []
 }
 
diff --git a/infra/root.hcl b/infra/root.hcl
index 40d8460d..d8a18c33 100644
--- a/infra/root.hcl
+++ b/infra/root.hcl
@@ -24,7 +24,6 @@ locals {
   plan_bucket             = "${local.base_reference}-tfplan"
   state_key               = "${local.environment}/${local.provider}/${local.module}/terraform.tfstate"
   plan_artifact_stack_key = "${local.environment}/${local.provider}/${local.module}"
-  state_lock_table        = "${local.project_name}-tf-lockid"
   plan_artifact_retention_days = try(
     local.environment_vars.inputs.infra_plan_artifact_expiration_days,
     1,
@@ -39,7 +38,7 @@ terraform {
   before_hook "print_locals" {
     commands = ["init"]
     execute = [
-      "bash", "-c", "echo STATE:${local.state_bucket}/${local.state_key} TABLE:${local.state_lock_table}"
+      "bash", "-c", "echo STATE:${local.state_bucket}/${local.state_key} LOCKFILE:${local.state_key}.tflock"
     ]
   }
 
@@ -82,11 +81,11 @@ terraform {
 remote_state {
   backend = "s3"
   config = {
-    bucket         = local.state_bucket
-    key            = local.state_key
-    region         = local.aws_region
-    dynamodb_table = local.state_lock_table
-    encrypt        = true
+    bucket       = local.state_bucket
+    key          = local.state_key
+    region       = local.aws_region
+    use_lockfile = true
+    encrypt      = true
   }
 }
 
@@ -144,7 +143,6 @@ inputs = merge(
     deploy_role_arn              = local.deploy_role_arn
     state_bucket                 = local.state_bucket
     plan_bucket                  = local.plan_bucket
-    state_lock_table             = local.state_lock_table
     code_bucket                  = local.code_bucket
     ecr_repository_name          = local.ecr_repository_name
   }