diff --git a/test/aclfile b/test/aclfile
new file mode 100644
index 0000000..c2c5b4b
--- /dev/null
+++ b/test/aclfile
@@ -0,0 +1,4 @@
+# ACL for testuser — allow publish and subscribe on 'lambdaiot' topic
+user testuser
+topic readwrite lambdaiot
+topic readwrite lambdaiot/#
diff --git a/test/docker-compose.yml b/test/docker-compose.yml
index 580560b..2dc0e2a 100644
--- a/test/docker-compose.yml
+++ b/test/docker-compose.yml
@@ -30,6 +30,7 @@ services:
       - mosquitto_data:/mosquitto/data
       - mosquitto_log:/mosquitto/log
       - ./mosquitto.conf:/mosquitto/config/mosquitto.conf
+      - ./aclfile:/mosquitto/data/aclfile:ro
     environment:
       - MOSQ_USER=testuser
       - MOSQ_PASS=testpass
diff --git a/test/mosquitto.conf b/test/mosquitto.conf
index 4af9417..c6539a2 100644
--- a/test/mosquitto.conf
+++ b/test/mosquitto.conf
@@ -5,6 +5,8 @@ listener 1883 0.0.0.0
 allow_anonymous false
 # place password file in the data volume (writable)
 password_file /mosquitto/data/passwordfile
+# ACL file controls topic permissions
+acl_file /mosquitto/data/aclfile
 # Increase persistence location so container can map volume if needed
 persistence true
 persistence_location /mosquitto/data/