diff --git a/examples/single-subscription/README.md b/examples/single-subscription/README.md
index 617269a..40682c3 100644
--- a/examples/single-subscription/README.md
+++ b/examples/single-subscription/README.md
@@ -107,10 +107,12 @@ $ terraform apply
 | <a name="input_deploy_scanning"></a> [deploy\_scanning](#input\_deploy\_scanning) | true/false, whether scanning module is to be deployed | `bool` | `false` | no |
 | <a name="input_existing_registries"></a> [existing\_registries](#input\_existing\_registries) | existing  Azure Container Registry names to be included to  scan by resource group { resource\_group\_1 =  ["registry\_name\_11","registry\_name\_12"],resource\_group\_2 =  ["registry\_name\_21","registry\_name\_22"]}. By default it will create a new ACR | `map(list(string))` | `{}` | no |
 | <a name="input_location"></a> [location](#input\_location) | Zone where the stack will be deployed | `string` | `"westus"` | no |
+| <a name="input_logging"></a> [logging](#input\_logging) | log level: info or debug | `string` | `"info"` | no |
 | <a name="input_memory"></a> [memory](#input\_memory) | Number of CPU cores of the containers | `string` | `"1"` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The resource group name to deploy secure for cloud stack | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to be added to the resources | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
+| <a name="input_use_reader_role"></a> [use\_reader\_role](#input\_use\_reader\_role) | Set this flag to `true` to use the `Reader` role instead of the `Contributor` role when creating the Trust Relationship. Some CSPM controls will not function correctly if this option is enabled | `bool` | `false` | no |
 
 ## Outputs
 
diff --git a/examples/single-subscription/cloud-bench.tf b/examples/single-subscription/cloud-bench.tf
index 704a945..c783f6b 100644
--- a/examples/single-subscription/cloud-bench.tf
+++ b/examples/single-subscription/cloud-bench.tf
@@ -3,4 +3,5 @@ module "cloud_bench" {
   source = "../../modules/services/cloud-bench"
 
   subscription_id = data.azurerm_subscription.current.subscription_id
+  use_reader_role = var.use_reader_role
 }
diff --git a/examples/single-subscription/variables.tf b/examples/single-subscription/variables.tf
index e27ab4a..e3e5088 100644
--- a/examples/single-subscription/variables.tf
+++ b/examples/single-subscription/variables.tf
@@ -59,6 +59,12 @@ variable "deploy_benchmark" {
   default     = true
 }
 
+variable "use_reader_role" {
+  type        = bool
+  description = "Set this flag to `true` to use the `Reader` role instead of the `Contributor` role when creating the Trust Relationship. Some CSPM controls will not function correctly if this option is enabled"
+  default     = false
+}
+
 
 #
 # general
diff --git a/examples/tenant-subscriptions/README.md b/examples/tenant-subscriptions/README.md
index 0020eb2..54a2d92 100644
--- a/examples/tenant-subscriptions/README.md
+++ b/examples/tenant-subscriptions/README.md
@@ -123,6 +123,7 @@ $ terraform apply
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The resource group name to deploy secure for cloud stack | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to be added to the resources | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
 | <a name="input_threat_detection_subscription_ids"></a> [threat\_detection\_subscription\_ids](#input\_threat\_detection\_subscription\_ids) | Azure subscription IDs to run threat detection on. If no subscriptions are specified, all of the tenant will be used. | `list(string)` | `[]` | no |
+| <a name="input_use_reader_role"></a> [use\_reader\_role](#input\_use\_reader\_role) | Set this flag to `true` to use the `Reader` role instead of the `Contributor` role when creating the Trust Relationship. Some CSPM controls will not function correctly if this option is enabled | `bool` | `false` | no |
 
 ## Outputs
 
diff --git a/examples/tenant-subscriptions/cloud-bench.tf b/examples/tenant-subscriptions/cloud-bench.tf
index 554041e..1c3b4df 100644
--- a/examples/tenant-subscriptions/cloud-bench.tf
+++ b/examples/tenant-subscriptions/cloud-bench.tf
@@ -4,4 +4,5 @@ module "cloud_bench" {
 
   subscription_ids = var.benchmark_subscription_ids
   is_tenant        = true
+  use_reader_role  = var.use_reader_role
 }
diff --git a/examples/tenant-subscriptions/variables.tf b/examples/tenant-subscriptions/variables.tf
index 7265dea..983a5dd 100644
--- a/examples/tenant-subscriptions/variables.tf
+++ b/examples/tenant-subscriptions/variables.tf
@@ -70,6 +70,11 @@ variable "benchmark_subscription_ids" {
   description = "Azure subscription IDs to run Benchmarks on. If no subscriptions are specified, all of the tenant will be used."
 }
 
+variable "use_reader_role" {
+  type        = bool
+  description = "Set this flag to `true` to use the `Reader` role instead of the `Contributor` role when creating the Trust Relationship. Some CSPM controls will not function correctly if this option is enabled"
+  default     = false
+}
 
 #
 # general
diff --git a/modules/services/cloud-bench/main.tf b/modules/services/cloud-bench/main.tf
index 1cd2e23..0b78aaf 100644
--- a/modules/services/cloud-bench/main.tf
+++ b/modules/services/cloud-bench/main.tf
@@ -17,4 +17,5 @@ module "trust_relationship" {
   source   = "./trust_relationship"
 
   subscription_id = each.key
+  use_reader_role = var.use_reader_role
 }
diff --git a/modules/services/cloud-bench/trust_relationship/README.md b/modules/services/cloud-bench/trust_relationship/README.md
index b8821d7..c9b6896 100644
--- a/modules/services/cloud-bench/trust_relationship/README.md
+++ b/modules/services/cloud-bench/trust_relationship/README.md
@@ -25,7 +25,6 @@ No modules.
 | [azurerm_lighthouse_assignment.lighthouse_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/lighthouse_assignment) | resource |
 | [azurerm_lighthouse_definition.lighthouse_definition](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/lighthouse_definition) | resource |
 | [sysdig_secure_cloud_account.cloud_account](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_account) | resource |
-| [azurerm_role_definition.contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |
 | [azurerm_subscription.subscription](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
 | [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source |
 
@@ -33,7 +32,8 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id) | ID of subscription containing resources to run benchmarks on | `string` | n/a | yes |
+| <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id) | Subscription ID in which to create a Trust Relationship | `string` | n/a | yes |
+| <a name="input_use_reader_role"></a> [use\_reader\_role](#input\_use\_reader\_role) | Set this flag to `true` to use the `Reader` role instead of the `Contributor` role. Some CSPM controls will not function correctly if this option is enabled | `bool` | `false` | no |
 
 ## Outputs
 
diff --git a/modules/services/cloud-bench/trust_relationship/main.tf b/modules/services/cloud-bench/trust_relationship/main.tf
index 433c33e..7eaa950 100644
--- a/modules/services/cloud-bench/trust_relationship/main.tf
+++ b/modules/services/cloud-bench/trust_relationship/main.tf
@@ -21,20 +21,18 @@ resource "sysdig_secure_cloud_account" "cloud_account" {
   role_enabled   = "true"
 }
 
-data "azurerm_role_definition" "contributor" {
-  role_definition_id = "b24988ac-6180-42a0-ab88-20f7382dd24c"
-}
-
 resource "azurerm_lighthouse_definition" "lighthouse_definition" {
-  name               = "Sysdig CloudBench Lighthouse Definition"
-  description        = "Lighthouse definition representing Sysdig CloudBench offer"
+  name               = "Sysdig Lighthouse Definition"
+  description        = "Lighthouse definition for Sysdig Secure for Cloud"
   managing_tenant_id = data.sysdig_secure_trusted_cloud_identity.trusted_identity.azure_tenant_id
   scope              = "/subscriptions/${var.subscription_id}"
 
   authorization {
     principal_id           = data.sysdig_secure_trusted_cloud_identity.trusted_identity.azure_service_principal_id
-    role_definition_id     = data.azurerm_role_definition.contributor.role_definition_id
-    principal_display_name = "Sysdig CloudBench Service Principal"
+    principal_display_name = "Sysdig Service Principal"
+
+    # Uses Contributor (default) or Reader roles: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
+    role_definition_id = var.use_reader_role ? "acdd72a7-3385-48ef-bd42-f606fba81ae7" : "b24988ac-6180-42a0-ab88-20f7382dd24c"
   }
 }
 
diff --git a/modules/services/cloud-bench/trust_relationship/variables.tf b/modules/services/cloud-bench/trust_relationship/variables.tf
index e34d85f..effc92d 100644
--- a/modules/services/cloud-bench/trust_relationship/variables.tf
+++ b/modules/services/cloud-bench/trust_relationship/variables.tf
@@ -1,14 +1,14 @@
 variable "subscription_id" {
   type        = string
-  description = "ID of subscription containing resources to run benchmarks on"
+  description = "Subscription ID in which to create a Trust Relationship"
 }
 
 #---------------------------------
 # optionals - with default
 #---------------------------------
 
-#variable "region" {
-#  type        = string
-#  description = "Region in which to run the benchmark. Azure accepts one of [AzureCloud, AzureChinaCloud, AzureGermanCloud, AzureUSGovernment]."
-#  default     = "AzureCloud"
-#}
+variable "use_reader_role" {
+  type        = bool
+  description = "Set this flag to `true` to use the `Reader` role instead of the `Contributor` role. Some CSPM controls will not function correctly if this option is enabled"
+  default     = false
+}
diff --git a/modules/services/cloud-bench/variables.tf b/modules/services/cloud-bench/variables.tf
index a2cc1eb..405660a 100644
--- a/modules/services/cloud-bench/variables.tf
+++ b/modules/services/cloud-bench/variables.tf
@@ -1,14 +1,14 @@
 # For single project
 variable "subscription_id" {
   type        = string
-  description = "ID of subscription containing resources to run benchmarks on"
+  description = "Subscription ID in which to create a Trust Relationship"
   default     = ""
 }
 
 # For tenant
 variable "subscription_ids" {
   type        = list(string)
-  description = "IDs of subscriptions containing resources to run benchmarks on"
+  description = "List of Subscription IDs in which to create a Trust Relationship"
   default     = []
 }
 
@@ -21,3 +21,9 @@ variable "is_tenant" {
   description = "Whether this task is being created at the tenant or subscription level"
   default     = false
 }
+
+variable "use_reader_role" {
+  type        = bool
+  description = "Set this flag to `true` to use the `Reader` role instead of the `Contributor` role. Some CSPM controls will not function correctly if this option is enabled"
+  default     = false
+}