diff --git a/modules/iam-bootstrap/README.md b/modules/iam-bootstrap/README.md
index ce0d12c6..78b7c70d 100644
--- a/modules/iam-bootstrap/README.md
+++ b/modules/iam-bootstrap/README.md
@@ -24,6 +24,7 @@ No modules.
 |------|------|
 | [aws_iam_policy.deployment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.deployment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachments_exclusive.deployment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachments_exclusive) | resource |
 | [aws_caller_identity.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
diff --git a/modules/iam-bootstrap/main.tf b/modules/iam-bootstrap/main.tf
index 9656888d..3e275834 100644
--- a/modules/iam-bootstrap/main.tf
+++ b/modules/iam-bootstrap/main.tf
@@ -41,7 +41,11 @@ resource "aws_iam_role" "deployment" {
     ]
   })
 
-  managed_policy_arns = aws_iam_policy.deployment[*].arn
-
   max_session_duration = var.max_session_duration
 }
+
+
+resource "aws_iam_role_policy_attachments_exclusive" "deployment" {
+  role_name   = aws_iam_role.deployment.name
+  policy_arns = aws_iam_policy.deployment[*].arn
+}