diff --git a/modules/agentless-scanning/main.tf b/modules/agentless-scanning/main.tf
index 045a697..c829913 100644
--- a/modules/agentless-scanning/main.tf
+++ b/modules/agentless-scanning/main.tf
@@ -26,7 +26,7 @@ data "aws_iam_session_context" "current" {
 data "sysdig_secure_agentless_scanning_assets" "assets" {}
 
 data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
-	cloud_provider = "aws"
+  cloud_provider = "aws"
 }
 
 data "sysdig_secure_tenant_external_id" "external_id" {}
@@ -64,29 +64,13 @@ resource "random_id" "suffix" {
 # predefined/default AWSCloudFormationStackSetAdministrationRole.
 #-----------------------------------------------------------------------------------------------------------------------------------------
 
-# IAM Policy Document used by Stackset roles for the KMS operations policy
-data "aws_iam_policy_document" "kms_operations" {
-  count = !var.auto_create_stackset_roles ? 0 : 1
-
-  statement {
-    sid = "KmsOperationsAccess"
-    effect = "Allow"
-    actions = [
-      "kms:*",
-    ]
-    resources = [
-      "*",
-    ]
-  }
-}
-
 resource "aws_iam_role" "scanning_stackset_admin_role" {
   count = !var.auto_create_stackset_roles ? 0 : 1
 
   name = "AWSCloudFormationStackSetAdministrationRoleForScanning"
   tags = var.tags
 
-  assume_role_policy = <<EOF
+  assume_role_policy  = <<EOF
 {
   "Version": "2012-10-17",
   "Statement": [
@@ -101,10 +85,25 @@ resource "aws_iam_role" "scanning_stackset_admin_role" {
 }
 EOF
   managed_policy_arns = ["arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"]
-  inline_policy {
-    name   = "KmsOperationsAccess"
-    policy = data.aws_iam_policy_document.kms_operations[0].json
-  }
+}
+
+resource "aws_iam_role_policy" "scanning_stackset_admin_role_policy" {
+  count = !var.auto_create_stackset_roles ? 0 : 1
+
+  name = "KmsOperationsAccess"
+  role = aws_iam_role.scanning_stackset_admin_role[0].id
+  policy = jsonencode({
+    Statement = [
+      {
+        Sid = "KmsOperationsAccess"
+        Action = [
+          "kms:*",
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      },
+    ]
+  })
 }
 
 #-----------------------------------------------------------------------------------------------------------------------------------------
@@ -139,10 +138,25 @@ EOF
   managed_policy_arns = [
     "arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"
   ]
-  inline_policy {
-    name   = "KmsOperationsAccess"
-    policy = data.aws_iam_policy_document.kms_operations[0].json
-  }
+}
+
+resource "aws_iam_role_policy" "scanning_stackset_execution_role_policy" {
+  count = !var.auto_create_stackset_roles ? 0 : 1
+
+  name = "KmsOperationsAccess"
+  role = aws_iam_role.scanning_stackset_execution_role[0].id
+  policy = jsonencode({
+    Statement = [
+      {
+        Sid = "KmsOperationsAccess"
+        Action = [
+          "kms:*",
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      },
+    ]
+  })
 }
 
 #-----------------------------------------------------------------------------------------------------------------------------------------
@@ -368,7 +382,7 @@ resource "aws_iam_policy_attachment" "scanning_policy_attachment" {
 #   - KMS Primary Key, and
 #   - KMS Primary alias
 #
-# Note: self-managed stacksets require pair of StackSetAdministrationRole & StackSetExecutionRole IAM roles with self-managed permissions 
+# Note: self-managed stacksets require pair of StackSetAdministrationRole & StackSetExecutionRole IAM roles with self-managed permissions
 #-----------------------------------------------------------------------------------------------------------------------------------------
 
 resource "aws_cloudformation_stack_set" "primary_acc_stackset" {
@@ -428,7 +442,9 @@ TEMPLATE
   depends_on = [
     aws_iam_role.scanning_role,
     aws_iam_role.scanning_stackset_admin_role,
-    aws_iam_role.scanning_stackset_execution_role
+    aws_iam_role_policy.scanning_stackset_admin_role_policy,
+    aws_iam_role.scanning_stackset_execution_role,
+    aws_iam_role_policy.scanning_stackset_execution_role_policy
   ]
 }
 
@@ -459,10 +475,10 @@ resource "aws_cloudformation_stack_set_instance" "primary_acc_stackset_instance"
 # explicit dependency using depends_on
 #-----------------------------------------------------------------------------------------------------------------
 resource "sysdig_secure_cloud_auth_account_component" "aws_scanning_role" {
-  account_id                 = var.sysdig_secure_account_id
-  type                       = "COMPONENT_TRUSTED_ROLE"
-  instance                   = "secure-scanning"
-  version                    = "v0.1.0"
+  account_id = var.sysdig_secure_account_id
+  type       = "COMPONENT_TRUSTED_ROLE"
+  instance   = "secure-scanning"
+  version    = "v0.1.0"
   trusted_role_metadata = jsonencode({
     aws = {
       role_name = local.scanning_resource_name
@@ -477,16 +493,16 @@ resource "sysdig_secure_cloud_auth_account_component" "aws_scanning_role" {
 # explicit dependency using depends_on
 #-----------------------------------------------------------------------------------------------------------------
 resource "sysdig_secure_cloud_auth_account_component" "aws_crypto_key" {
-  account_id                 = var.sysdig_secure_account_id
-  type                       = "COMPONENT_CRYPTO_KEY"
-  instance                   = "secure-scanning"
-  version                    = "v0.1.0"
+  account_id = var.sysdig_secure_account_id
+  type       = "COMPONENT_CRYPTO_KEY"
+  instance   = "secure-scanning"
+  version    = "v0.1.0"
   crypto_key_metadata = jsonencode({
     aws = {
       kms = {
-          alias   = "alias/${local.scanning_resource_name}"
-          regions = var.regions
-        }
+        alias   = "alias/${local.scanning_resource_name}"
+        regions = var.regions
+      }
     }
   })
 }
\ No newline at end of file
diff --git a/modules/agentless-scanning/outputs.tf b/modules/agentless-scanning/outputs.tf
index ea80ab2..8d98d80 100644
--- a/modules/agentless-scanning/outputs.tf
+++ b/modules/agentless-scanning/outputs.tf
@@ -1,11 +1,11 @@
 output "scanning_role_component_id" {
   value       = "${sysdig_secure_cloud_auth_account_component.aws_scanning_role.type}/${sysdig_secure_cloud_auth_account_component.aws_scanning_role.instance}"
   description = "Component identifier of scanning role created in Sysdig Backend for Agentless Scanning"
-  depends_on = [ sysdig_secure_cloud_auth_account_component.aws_scanning_role ]
+  depends_on  = [sysdig_secure_cloud_auth_account_component.aws_scanning_role]
 }
 
 output "crypto_key_component_id" {
   value       = "${sysdig_secure_cloud_auth_account_component.aws_crypto_key.type}/${sysdig_secure_cloud_auth_account_component.aws_crypto_key.instance}"
   description = "Component identifier of KMS crypto key created in Sysdig Backend for Agentless Scanning"
-  depends_on = [ sysdig_secure_cloud_auth_account_component.aws_crypto_key ]
+  depends_on  = [sysdig_secure_cloud_auth_account_component.aws_crypto_key]
 }
\ No newline at end of file
diff --git a/modules/agentless-scanning/variables.tf b/modules/agentless-scanning/variables.tf
index 716323e..c8fe4eb 100644
--- a/modules/agentless-scanning/variables.tf
+++ b/modules/agentless-scanning/variables.tf
@@ -56,8 +56,8 @@ variable "stackset_admin_role_arn" {
 
 variable "stackset_execution_role_name" {
   description = "(Optional) stackset execution role name to run SELF_MANAGED stackset"
-    type        = string
-    default     = ""
+  type        = string
+  default     = ""
 }
 
 variable "timeout" {
diff --git a/modules/agentless-scanning/versions.tf b/modules/agentless-scanning/versions.tf
index 6257f6a..2945a9e 100644
--- a/modules/agentless-scanning/versions.tf
+++ b/modules/agentless-scanning/versions.tf
@@ -6,7 +6,7 @@ terraform {
       version = ">= 5.60.0"
     }
     sysdig = {
-      source  = "sysdiglabs/sysdig"
+      source = "sysdiglabs/sysdig"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf
index 005c4a6..fffc806 100644
--- a/modules/config-posture/main.tf
+++ b/modules/config-posture/main.tf
@@ -9,7 +9,7 @@ locals {
 }
 
 data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
-	cloud_provider = "aws"
+  cloud_provider = "aws"
 }
 
 data "sysdig_secure_tenant_external_id" "external_id" {}
@@ -41,89 +41,57 @@ resource "aws_iam_role" "cspm_role" {
 }
 EOF
   managed_policy_arns = ["arn:aws:iam::aws:policy/SecurityAudit"]
-  inline_policy {
-    name   = local.config_posture_role_name
-    policy = data.aws_iam_policy_document.custom_resources_policy.json
-  }
 }
 
-# Custom IAM Policy Document used by trust-relationship role
-data "aws_iam_policy_document" "custom_resources_policy" {
-
-  statement {
-    sid = "DescribeEFSAccessPoints"
-
-    effect = "Allow"
-
-    actions = [
-      "elasticfilesystem:DescribeAccessPoints",
-    ]
-
-    resources = [
-      "*",
-    ]
-  }
-
-  statement {
-    sid = "ListWafRegionalRulesAndRuleGroups"
-
-    effect = "Allow"
-
-    actions = [
-      "waf-regional:ListRules",
-      "waf-regional:ListRuleGroups",
-    ]
-
-    resources = [
-      "arn:aws:waf-regional:*:*:rule/*",
-      "arn:aws:waf-regional:*:*:rulegroup/*"
-    ]
-  }
-
-  statement {
-    sid = "ListJobsOnConsole"
-
-    effect = "Allow"
-
-    actions = [
-      "macie2:ListClassificationJobs",
+resource "aws_iam_role_policy" "cspm_role_policy" {
+  name = local.config_posture_role_name
+  role = aws_iam_role.cspm_role.id
+  policy = jsonencode({
+    Statement = [
+      {
+        Sid = "DescribeEFSAccessPoints"
+        Action = [
+          "elasticfilesystem:DescribeAccessPoints",
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      },
+      {
+        Sid = "ListWafRegionalRulesAndRuleGroups"
+        Action = [
+          "waf-regional:ListRules",
+          "waf-regional:ListRuleGroups",
+        ]
+        Effect = "Allow"
+        Resource = [
+          "arn:aws:waf-regional:*:*:rule/*",
+          "arn:aws:waf-regional:*:*:rulegroup/*"
+        ]
+      },
+      {
+        Sid      = "ListJobsOnConsole"
+        Action   = "macie2:ListClassificationJobs"
+        Effect   = "Allow"
+        Resource = "*"
+      },
+      {
+        Sid = "GetFunctionDetails"
+        Action = [
+          "lambda:GetRuntimeManagementConfig",
+          "lambda:GetFunction",
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      },
+      {
+        Sid      = "AccessAccountContactInfo"
+        Action   = "account:GetContactInformation"
+        Effect   = "Allow"
+        Resource = "*"
+      },
     ]
-
-    resources = [
-      "*",
-    ]
-  }
-
-  statement {
-    sid = "GetFunctionDetails"
-
-    effect = "Allow"
-
-    actions = [
-      "lambda:GetRuntimeManagementConfig",
-      "lambda:GetFunction",
-    ]
-
-    resources = [
-      "*"
-    ]
-  }
-
-  statement {
-    sid = "AccessAccountContactInfo"
-
-    effect = "Allow"
-
-    actions = [
-      "account:GetContactInformation",
-    ]
-
-    resources = [
-      "*",
-    ]
-  }
+  })
 }
-
 #--------------------------------------------------------------------------------------------------------------
 # Call Sysdig Backend to add the trusted role for Config Posture to the Sysdig Cloud Account
 #
@@ -131,13 +99,13 @@ data "aws_iam_policy_document" "custom_resources_policy" {
 # explicit dependency using depends_on
 #--------------------------------------------------------------------------------------------------------------
 resource "sysdig_secure_cloud_auth_account_component" "config_posture_role" {
-  account_id                 = var.sysdig_secure_account_id
-  type                       = "COMPONENT_TRUSTED_ROLE"
-  instance                   = "secure-posture"
-  version                    = "v0.1.0"
+  account_id = var.sysdig_secure_account_id
+  type       = "COMPONENT_TRUSTED_ROLE"
+  instance   = "secure-posture"
+  version    = "v0.1.0"
   trusted_role_metadata = jsonencode({
-        aws = {
-          role_name = local.config_posture_role_name
-        }
-      })
+    aws = {
+      role_name = local.config_posture_role_name
+    }
+  })
 }
\ No newline at end of file
diff --git a/modules/config-posture/outputs.tf b/modules/config-posture/outputs.tf
index cd92255..a84a0a8 100644
--- a/modules/config-posture/outputs.tf
+++ b/modules/config-posture/outputs.tf
@@ -1,5 +1,5 @@
 output "config_posture_component_id" {
   value       = "${sysdig_secure_cloud_auth_account_component.config_posture_role.type}/${sysdig_secure_cloud_auth_account_component.config_posture_role.instance}"
   description = "Component identifier of trusted identity created in Sysdig Backend for Config Posture"
-  depends_on = [ sysdig_secure_cloud_auth_account_component.config_posture_role ]
+  depends_on  = [sysdig_secure_cloud_auth_account_component.config_posture_role]
 }
\ No newline at end of file
diff --git a/modules/config-posture/versions.tf b/modules/config-posture/versions.tf
index 41738e8..7ebfef6 100644
--- a/modules/config-posture/versions.tf
+++ b/modules/config-posture/versions.tf
@@ -6,7 +6,7 @@ terraform {
       version = ">= 5.60.0"
     }
     sysdig = {
-      source  = "sysdiglabs/sysdig"
+      source = "sysdiglabs/sysdig"
     }
   }
 }
diff --git a/modules/integrations/event-bridge/main.tf b/modules/integrations/event-bridge/main.tf
index 640742a..07f7f5f 100644
--- a/modules/integrations/event-bridge/main.tf
+++ b/modules/integrations/event-bridge/main.tf
@@ -17,7 +17,7 @@ data "aws_caller_identity" "current" {}
 data "sysdig_secure_cloud_ingestion_assets" "assets" {}
 
 data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
-	cloud_provider = "aws"
+  cloud_provider = "aws"
 }
 
 data "sysdig_secure_tenant_external_id" "external_id" {}
@@ -59,7 +59,7 @@ resource "aws_iam_role" "event_bus_stackset_admin_role" {
   name = "AWSCloudFormationStackSetAdministrationRoleForEB"
   tags = var.tags
 
-  assume_role_policy = <<EOF
+  assume_role_policy  = <<EOF
 {
   "Version": "2012-10-17",
   "Statement": [
@@ -149,43 +149,37 @@ resource "aws_iam_role" "event_bus_invoke_remote_event_bus" {
   ]
 }
 EOF
-  inline_policy {
-    name   = local.eb_resource_name
-    policy = data.aws_iam_policy_document.cloud_trail_events.json
-  }
 }
 
-# IAM Policy Document used by EventBridge role for the cloudtrail events policy
-data "aws_iam_policy_document" "cloud_trail_events" {
-
-  statement {
-    sid = "CloudTrailEventsPut"
-
-    effect = "Allow"
-
-    actions = [
-      "events:PutEvents",
-    ]
-
-    resources = [
-      data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARN,
-    ]
-  }
-
-  statement {
-    sid = "CloudTrailEventRuleAccess"
-
-    effect = "Allow"
 
-    actions = [
-      "events:DescribeRule",
-      "events:ListTargetsByRule",
-    ]
-
-    resources = [
-      "arn:aws:events:*:*:rule/${local.eb_resource_name}",
+resource "aws_iam_role_policy" "event_bus_invoke_remote_event_bus_policy" {
+  name = local.eb_resource_name
+  role = aws_iam_role.event_bus_invoke_remote_event_bus.id
+  policy = jsonencode({
+    Statement = [
+      {
+        Sid = "CloudTrailEventsPut"
+        Action = [
+          "events:PutEvents",
+        ]
+        Effect = "Allow"
+        Resource = [
+          data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARN,
+        ]
+      },
+      {
+        Sid = "CloudTrailEventRuleAccess"
+        Action = [
+          "events:DescribeRule",
+          "events:ListTargetsByRule",
+        ]
+        Effect = "Allow"
+        Resource = [
+          "arn:aws:events:*:*:rule/${local.eb_resource_name}",
+        ]
+      },
     ]
-  }
+  })
 }
 
 #-----------------------------------------------------------------------------------------------------------------------------------------
@@ -258,10 +252,10 @@ resource "aws_cloudformation_stack_set_instance" "primary_acc_stackset_instance"
 #-----------------------------------------------------------------------------------------------------------------------------------------
 
 resource "sysdig_secure_cloud_auth_account_component" "aws_event_bridge" {
-  account_id                 = var.sysdig_secure_account_id
-  type                       = "COMPONENT_EVENT_BRIDGE"
-  instance                   = "secure-runtime"
-  version                    = "v0.1.0"
+  account_id = var.sysdig_secure_account_id
+  type       = "COMPONENT_EVENT_BRIDGE"
+  instance   = "secure-runtime"
+  version    = "v0.1.0"
   event_bridge_metadata = jsonencode({
     aws = {
       role_name = local.eb_resource_name
diff --git a/modules/integrations/event-bridge/outputs.tf b/modules/integrations/event-bridge/outputs.tf
index e77a65e..109669e 100644
--- a/modules/integrations/event-bridge/outputs.tf
+++ b/modules/integrations/event-bridge/outputs.tf
@@ -1,5 +1,5 @@
 output "event_bridge_component_id" {
   value       = "${sysdig_secure_cloud_auth_account_component.aws_event_bridge.type}/${sysdig_secure_cloud_auth_account_component.aws_event_bridge.instance}"
   description = "Component identifier of Event Bridge integration created in Sysdig Backend for Log Ingestion"
-  depends_on = [ sysdig_secure_cloud_auth_account_component.aws_event_bridge ]
+  depends_on  = [sysdig_secure_cloud_auth_account_component.aws_event_bridge]
 }
diff --git a/modules/integrations/event-bridge/variables.tf b/modules/integrations/event-bridge/variables.tf
index 9c23c84..dbc76f1 100644
--- a/modules/integrations/event-bridge/variables.tf
+++ b/modules/integrations/event-bridge/variables.tf
@@ -93,8 +93,8 @@ variable "stackset_admin_role_arn" {
 
 variable "stackset_execution_role_name" {
   description = "(Optional) stackset execution role name to run SELF_MANAGED stackset"
-    type        = string
-    default     = ""
+  type        = string
+  default     = ""
 }
 
 variable "sysdig_secure_account_id" {
diff --git a/modules/integrations/event-bridge/versions.tf b/modules/integrations/event-bridge/versions.tf
index a5cfac8..ffc5d6d 100644
--- a/modules/integrations/event-bridge/versions.tf
+++ b/modules/integrations/event-bridge/versions.tf
@@ -6,7 +6,7 @@ terraform {
       version = ">= 5.60.0"
     }
     sysdig = {
-      source  = "sysdiglabs/sysdig"
+      source = "sysdiglabs/sysdig"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf
index 2203857..72ededf 100644
--- a/modules/onboarding/main.tf
+++ b/modules/onboarding/main.tf
@@ -12,7 +12,7 @@ locals {
 }
 
 data "sysdig_secure_trusted_cloud_identity" "trusted_identity" {
-	cloud_provider = "aws"
+  cloud_provider = "aws"
 }
 
 data "sysdig_secure_tenant_external_id" "external_id" {}
@@ -49,7 +49,7 @@ EOF
   ])
 
   lifecycle {
-    ignore_changes = [ tags ]
+    ignore_changes = [tags]
   }
 }
 
diff --git a/modules/onboarding/organizational.tf b/modules/onboarding/organizational.tf
index b632d55..c53a1e5 100644
--- a/modules/onboarding/organizational.tf
+++ b/modules/onboarding/organizational.tf
@@ -7,7 +7,7 @@ data "aws_organizations_organization" "org" {
 }
 
 locals {
-  org_units_to_deploy  = var.is_organizational && length(var.organizational_unit_ids) == 0 ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : var.organizational_unit_ids
+  org_units_to_deploy = var.is_organizational && length(var.organizational_unit_ids) == 0 ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : var.organizational_unit_ids
 }
 
 #----------------------------------------------------------
@@ -79,7 +79,7 @@ resource "aws_cloudformation_stack_set_instance" "stackset_instance" {
 }
 
 resource "sysdig_secure_organization" "aws_organization" {
-  count = var.is_organizational ? 1 : 0
-  management_account_id = sysdig_secure_cloud_auth_account.cloud_auth_account.id
-  organizational_unit_ids  = var.organizational_unit_ids
+  count                   = var.is_organizational ? 1 : 0
+  management_account_id   = sysdig_secure_cloud_auth_account.cloud_auth_account.id
+  organizational_unit_ids = var.organizational_unit_ids
 }
diff --git a/modules/onboarding/versions.tf b/modules/onboarding/versions.tf
index 0c3e10f..17c7f6b 100644
--- a/modules/onboarding/versions.tf
+++ b/modules/onboarding/versions.tf
@@ -10,7 +10,7 @@ terraform {
       version = ">= 3.1"
     }
     sysdig = {
-      source  = "sysdiglabs/sysdig"
+      source = "sysdiglabs/sysdig"
     }
   }
 }