diff --git a/main.tf b/main.tf
index 0dcaf395..9a4a5c3a 100644
--- a/main.tf
+++ b/main.tf
@@ -9,7 +9,8 @@ module "aft_account_provisioning_framework" {
   providers = {
     aws = aws.aft_management
   }
-  source                                           = "./modules/aft-account-provisioning-framework"
+  source = "./modules/aft-account-provisioning-framework"
+
   aft_account_provisioning_framework_sfn_name      = local.aft_account_provisioning_framework_sfn_name
   aft_account_provisioning_customizations_sfn_name = local.aft_account_provisioning_customizations_sfn_name
   trigger_customizations_sfn_name                  = local.trigger_customizations_sfn_name
@@ -26,7 +27,8 @@ module "aft_account_provisioning_framework" {
 }
 
 module "vpc" {
-  source = "terraform-aws-modules/vpc/aws"
+  source = "registry.terraform.io/terraform-aws-modules/vpc/aws"
+
   providers = {
     aws = aws.aft_management
   }
@@ -44,7 +46,7 @@ module "vpc" {
   private_subnet_suffix = "private"
   public_subnet_suffix  = "public"
 
-  default_security_group_name   = "aft-endpoint-sg"
+  default_security_group_name = "aft-endpoint-sg"
   default_security_group_egress = [
     {
       from_port        = 0
@@ -60,7 +62,7 @@ module "vpc" {
       to_port     = 443
       protocol    = "tcp"
       cidr_blocks = var.aft_vpc_cidr
-    }, {
+      }, {
       from_port   = 22
       to_port     = 22
       protocol    = "tcp"
@@ -125,7 +127,7 @@ module "aft_backend" {
 
 module "aft_code_repositories" {
   depends_on = [module.vpc]
-  providers  = {
+  providers = {
     aws = aws.aft_management
   }
   source                                          = "./modules/aft-code-repositories"
@@ -155,7 +157,7 @@ module "aft_code_repositories" {
 
 module "aft_customizations" {
   depends_on = [module.vpc]
-  providers  = {
+  providers = {
     aws = aws.aft_management
   }
   source                                            = "./modules/aft-customizations"
@@ -212,7 +214,7 @@ module "aft_feature_options" {
 }
 
 module "aft_iam_roles" {
-  source    = "./modules/aft-iam-roles"
+  source = "./modules/aft-iam-roles"
   providers = {
     aws.ct_management  = aws.ct_management
     aws.audit          = aws.audit
@@ -223,7 +225,7 @@ module "aft_iam_roles" {
 
 module "aft_lambda_layer" {
   depends_on = [module.vpc]
-  providers  = {
+  providers = {
     aws = aws.aft_management
   }
   source                                            = "./modules/aft-lambda-layer"
@@ -247,67 +249,72 @@ module "aft_ssm_parameters" {
   providers = {
     aws = aws.aft_management
   }
-  source                                                      = "./modules/aft-ssm-parameters"
-  aft_request_queue_name                                      = module.aft_account_request_framework.request_queue_name
-  aft_request_table_name                                      = module.aft_account_request_framework.request_table_name
-  aft_request_audit_table_name                                = module.aft_account_request_framework.request_audit_table_name
-  aft_request_metadata_table_name                             = module.aft_account_request_framework.request_metadata_table_name
-  aft_controltower_events_table_name                          = module.aft_account_request_framework.controltower_events_table_name
-  account_factory_product_name                                = module.aft_account_request_framework.account_factory_product_name
-  aft_invoke_aft_account_provisioning_framework_function_name = module.aft_account_request_framework.invoke_aft_account_provisioning_framework_lambda_function_name
-  aft_account_provisioning_framework_sfn_name                 = module.aft_account_request_framework.aft_account_provisioning_framework_sfn_name
-  aft_sns_topic_arn                                           = module.aft_account_request_framework.sns_topic_arn
-  aft_failure_sns_topic_arn                                   = module.aft_account_request_framework.failure_sns_topic_arn
-  request_action_trigger_function_arn                         = module.aft_account_request_framework.request_action_trigger_function_arn
-  request_audit_trigger_function_arn                          = module.aft_account_request_framework.request_audit_trigger_function_arn
-  request_processor_function_arn                              = module.aft_account_request_framework.request_processor_function_arn
-  control_tower_event_logger_function_arn                     = module.aft_account_request_framework.control_tower_event_logger_function_arn
-  invoke_aft_account_provisioning_framework_function_arn      = module.aft_account_request_framework.invoke_aft_account_provisioning_framework_function_arn
-  validate_request_function_arn                               = module.aft_account_provisioning_framework.validate_request_function_arn
-  get_account_info_function_arn                               = module.aft_account_provisioning_framework.get_account_info_function_arn
-  create_role_function_arn                                    = module.aft_account_provisioning_framework.create_role_function_arn
-  tag_account_function_arn                                    = module.aft_account_provisioning_framework.tag_account_function_arn
-  persist_metadata_function_arn                               = module.aft_account_provisioning_framework.persist_metadata_function_arn
-  aft_customizations_identify_targets_function_arn            = module.aft_customizations.aft_customizations_identify_targets_function_arn
-  aft_customizations_execute_pipeline_function_arn            = module.aft_customizations.aft_customizations_execute_pipeline_function_arn
-  aft_customizations_get_pipeline_executions_function_arn     = module.aft_customizations.aft_customizations_get_pipeline_executions_function_arn
-  codestar_connection_arn                                     = module.aft_code_repositories.codestar_connection_arn
-  aft_log_key_arn                                             = module.aft_feature_options.aws_aft_log_key_arn
-  aft_logging_bucket_arn                                      = module.aft_feature_options.aws_aft_logs_s3_bucket_arn
-  aft_config_backend_bucket_id                                = module.aft_backend.bucket_id
-  aft_config_backend_table_id                                 = module.aft_backend.table_id
-  aft_config_backend_kms_key_id                               = module.aft_backend.kms_key_id
-  aft_administrator_role_name                                 = local.aft_administrator_role_name
-  aft_execution_role_name                                     = local.aft_execution_role_name
-  aft_session_name                                            = local.aft_session_name
-  aft_version                                                 = local.aft_version
-  ct_management_account_id                                    = var.ct_management_account_id
-  ct_audit_account_id                                         = var.audit_account_id
-  ct_log_archive_account_id                                   = var.log_archive_account_id
-  aft_management_account_id                                   = var.aft_management_account_id
-  ct_primary_region                                           = var.ct_home_region
-  tf_version                                                  = var.terraform_version
-  tf_distribution                                             = var.terraform_distribution
-  terraform_api_endpoint                                      = var.terraform_api_endpoint
-  account_request_repo_branch                                 = var.account_request_repo_branch
-  account_request_repo_name                                   = var.account_request_repo_name
-  vcs_provider                                                = var.vcs_provider
-  aft_config_backend_primary_region                           = var.ct_home_region
-  aft_config_backend_secondary_region                         = var.tf_backend_secondary_region
-  aft_framework_repo_url                                      = var.aft_framework_repo_url
-  aft_framework_repo_git_ref                                  = var.aft_framework_repo_git_ref
-  terraform_token                                             = var.terraform_token
-  terraform_version                                           = var.terraform_version
-  terraform_org_name                                          = var.terraform_org_name
-  aft_feature_cloudtrail_data_events                          = var.aft_feature_cloudtrail_data_events
-  aft_feature_enterprise_support                              = var.aft_feature_enterprise_support
-  aft_feature_delete_default_vpcs_enabled                     = var.aft_feature_delete_default_vpcs_enabled
-  account_customizations_repo_name                            = var.account_customizations_repo_name
-  account_customizations_repo_branch                          = var.account_customizations_repo_branch
-  global_customizations_repo_name                             = var.global_customizations_repo_name
-  global_customizations_repo_branch                           = var.global_customizations_repo_branch
-  account_provisioning_customizations_repo_name               = var.account_provisioning_customizations_repo_name
-  account_provisioning_customizations_repo_branch             = var.account_provisioning_customizations_repo_branch
-  maximum_concurrent_customizations                           = var.maximum_concurrent_customizations
-  github_enterprise_url                                       = var.github_enterprise_url
+  source = "./modules/aft-ssm-parameters"
+  not_sensitive = {
+    account_customizations_repo_branch                          = var.account_customizations_repo_branch
+    account_customizations_repo_name                            = var.account_customizations_repo_name
+    account_factory_product_name                                = module.aft_account_request_framework.account_factory_product_name
+    account_provisioning_customizations_repo_branch             = var.account_provisioning_customizations_repo_branch
+    account_provisioning_customizations_repo_name               = var.account_provisioning_customizations_repo_name
+    account_request_repo_branch                                 = var.account_request_repo_branch
+    account_request_repo_name                                   = var.account_request_repo_name
+    aft_account_provisioning_framework_sfn_name                 = module.aft_account_request_framework.aft_account_provisioning_framework_sfn_name
+    aft_administrator_role_name                                 = local.aft_administrator_role_name
+    aft_config_backend_bucket_id                                = module.aft_backend.bucket_id
+    aft_config_backend_kms_key_id                               = module.aft_backend.kms_key_id
+    aft_config_backend_primary_region                           = var.ct_home_region
+    aft_config_backend_secondary_region                         = var.tf_backend_secondary_region
+    aft_config_backend_table_id                                 = module.aft_backend.table_id
+    aft_controltower_events_table_name                          = module.aft_account_request_framework.controltower_events_table_name
+    aft_customizations_execute_pipeline_function_arn            = module.aft_customizations.aft_customizations_execute_pipeline_function_arn
+    aft_customizations_get_pipeline_executions_function_arn     = module.aft_customizations.aft_customizations_get_pipeline_executions_function_arn
+    aft_customizations_identify_targets_function_arn            = module.aft_customizations.aft_customizations_identify_targets_function_arn
+    aft_execution_role_name                                     = local.aft_execution_role_name
+    aft_failure_sns_topic_arn                                   = module.aft_account_request_framework.failure_sns_topic_arn
+    aft_feature_cloudtrail_data_events                          = var.aft_feature_cloudtrail_data_events
+    aft_feature_delete_default_vpcs_enabled                     = var.aft_feature_delete_default_vpcs_enabled
+    aft_feature_enterprise_support                              = var.aft_feature_enterprise_support
+    aft_framework_repo_git_ref                                  = var.aft_framework_repo_git_ref
+    aft_framework_repo_url                                      = var.aft_framework_repo_url
+    aft_invoke_aft_account_provisioning_framework_function_name = module.aft_account_request_framework.invoke_aft_account_provisioning_framework_lambda_function_name
+    aft_log_key_arn                                             = module.aft_feature_options.aws_aft_log_key_arn
+    aft_logging_bucket_arn                                      = module.aft_feature_options.aws_aft_logs_s3_bucket_arn
+    aft_management_account_id                                   = var.aft_management_account_id
+    aft_request_audit_table_name                                = module.aft_account_request_framework.request_audit_table_name
+    aft_request_metadata_table_name                             = module.aft_account_request_framework.request_metadata_table_name
+    aft_request_queue_name                                      = module.aft_account_request_framework.request_queue_name
+    aft_request_table_name                                      = module.aft_account_request_framework.request_table_name
+    aft_session_name                                            = local.aft_session_name
+    aft_sns_topic_arn                                           = module.aft_account_request_framework.sns_topic_arn
+    aft_version                                                 = local.aft_version
+    codestar_connection_arn                                     = module.aft_code_repositories.codestar_connection_arn
+    control_tower_event_logger_function_arn                     = module.aft_account_request_framework.control_tower_event_logger_function_arn
+    create_role_function_arn                                    = module.aft_account_provisioning_framework.create_role_function_arn
+    ct_audit_account_id                                         = var.audit_account_id
+    ct_log_archive_account_id                                   = var.log_archive_account_id
+    ct_management_account_id                                    = var.ct_management_account_id
+    ct_primary_region                                           = var.ct_home_region
+    get_account_info_function_arn                               = module.aft_account_provisioning_framework.get_account_info_function_arn
+    github_enterprise_url                                       = var.github_enterprise_url
+    global_customizations_repo_branch                           = var.global_customizations_repo_branch
+    global_customizations_repo_name                             = var.global_customizations_repo_name
+    invoke_aft_account_provisioning_framework_function_arn      = module.aft_account_request_framework.invoke_aft_account_provisioning_framework_function_arn
+    maximum_concurrent_customizations                           = var.maximum_concurrent_customizations
+    persist_metadata_function_arn                               = module.aft_account_provisioning_framework.persist_metadata_function_arn
+    request_action_trigger_function_arn                         = module.aft_account_request_framework.request_action_trigger_function_arn
+    request_audit_trigger_function_arn                          = module.aft_account_request_framework.request_audit_trigger_function_arn
+    request_processor_function_arn                              = module.aft_account_request_framework.request_processor_function_arn
+    tag_account_function_arn                                    = module.aft_account_provisioning_framework.tag_account_function_arn
+    terraform_api_endpoint                                      = var.terraform_api_endpoint
+    terraform_org_name                                          = var.terraform_org_name
+    terraform_version                                           = var.terraform_version
+    tf_distribution                                             = var.terraform_distribution
+    tf_version                                                  = var.terraform_version
+    validate_request_function_arn                               = module.aft_account_provisioning_framework.validate_request_function_arn
+    vcs_provider                                                = var.vcs_provider
+  }
+
+  sensitive = {
+    terraform_token = var.terraform_token
+  }
 }
diff --git a/modules/aft-account-provisioning-framework/lambda.tf b/modules/aft-account-provisioning-framework/lambda.tf
index 087d528b..f0e4c480 100644
--- a/modules/aft-account-provisioning-framework/lambda.tf
+++ b/modules/aft-account-provisioning-framework/lambda.tf
@@ -1,8 +1,8 @@
 # Copyright Amazon.com, Inc. or its affiliates. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 #
-### VALIDATE REQUEST FUNCTION
 
+### VALIDATE REQUEST FUNCTION
 resource "aws_lambda_function" "validate_request" {
   filename         = var.provisioning_framework_archive_path
   function_name    = "aft-account-provisioning-framework-validate-request"
@@ -10,9 +10,9 @@ resource "aws_lambda_function" "validate_request" {
   role             = aws_iam_role.aft_lambda_aft_account_provisioning_framework_validate_request.arn
   handler          = "aft_account_provisioning_framework_validate_request.lambda_handler"
   source_code_hash = var.provisioning_framework_archive_hash
-  memory_size      = 1024
-  runtime          = "python3.8"
-  timeout          = 300
+  memory_size      = var.lambda_configuration.memory_size
+  runtime          = var.lambda_configuration.runtime
+  timeout          = var.lambda_configuration.timeout
   layers           = [var.aft_common_layer_arn]
 
   vpc_config {
@@ -27,8 +27,6 @@ resource "aws_cloudwatch_log_group" "validate_request" {
 }
 
 ### GET ACCOUNT INFO FUNCTION
-
-
 resource "aws_lambda_function" "get_account_info" {
   filename         = var.provisioning_framework_archive_path
   function_name    = "aft-account-provisioning-framework-get-account-info"
@@ -36,9 +34,9 @@ resource "aws_lambda_function" "get_account_info" {
   role             = aws_iam_role.aft_lambda_aft_account_provisioning_framework_get_account_info.arn
   handler          = "aft_account_provisioning_framework_get_account_info.lambda_handler"
   source_code_hash = var.provisioning_framework_archive_hash
-  memory_size      = 1024
-  runtime          = "python3.8"
-  timeout          = 300
+  memory_size      = var.lambda_configuration.memory_size
+  runtime          = var.lambda_configuration.runtime
+  timeout          = var.lambda_configuration.timeout
   layers           = [var.aft_common_layer_arn]
 
   vpc_config {
@@ -53,7 +51,6 @@ resource "aws_cloudwatch_log_group" "get_account_info" {
 }
 
 ###  CREATE ROLE FUNCTION
-
 resource "aws_lambda_function" "create_role" {
   filename         = var.provisioning_framework_archive_path
   function_name    = "aft-account-provisioning-framework-create-aft-execution-role"
@@ -61,9 +58,9 @@ resource "aws_lambda_function" "create_role" {
   role             = aws_iam_role.aft_lambda_aft_account_provisioning_framework_create_role.arn
   handler          = "aft_account_provisioning_framework_create_role.lambda_handler"
   source_code_hash = var.provisioning_framework_archive_hash
-  memory_size      = 1024
-  runtime          = "python3.8"
-  timeout          = 300
+  memory_size      = var.lambda_configuration.memory_size
+  runtime          = var.lambda_configuration.runtime
+  timeout          = var.lambda_configuration.timeout
   layers           = [var.aft_common_layer_arn]
 
   vpc_config {
@@ -77,9 +74,7 @@ resource "aws_cloudwatch_log_group" "create_role" {
   retention_in_days = var.cloudwatch_log_group_retention
 }
 
-
 ###  TAG ACCOUNT FUNCTION
-
 resource "aws_lambda_function" "tag_account" {
   filename         = var.provisioning_framework_archive_path
   function_name    = "aft-account-provisioning-framework-tag-account"
@@ -87,9 +82,9 @@ resource "aws_lambda_function" "tag_account" {
   role             = aws_iam_role.aft_lambda_aft_account_provisioning_framework_tag_account.arn
   handler          = "aft_account_provisioning_framework_tag_account.lambda_handler"
   source_code_hash = var.provisioning_framework_archive_hash
-  memory_size      = 1024
-  runtime          = "python3.8"
-  timeout          = 300
+  memory_size      = var.lambda_configuration.memory_size
+  runtime          = var.lambda_configuration.runtime
+  timeout          = var.lambda_configuration.timeout
   layers           = [var.aft_common_layer_arn]
 
   vpc_config {
@@ -104,7 +99,6 @@ resource "aws_cloudwatch_log_group" "tag_account" {
 }
 
 ###  PERSIST METADATA FUNCTION
-
 resource "aws_lambda_function" "persist_metadata" {
   filename         = var.provisioning_framework_archive_path
   function_name    = "aft-account-provisioning-framework-persist-metadata"
@@ -112,9 +106,9 @@ resource "aws_lambda_function" "persist_metadata" {
   role             = aws_iam_role.aft_lambda_aft_account_provisioning_framework_persist_metadata.arn
   handler          = "aft_account_provisioning_framework_persist_metadata.lambda_handler"
   source_code_hash = var.provisioning_framework_archive_hash
-  memory_size      = 1024
-  runtime          = "python3.8"
-  timeout          = 300
+  memory_size      = var.lambda_configuration.memory_size
+  runtime          = var.lambda_configuration.runtime
+  timeout          = var.lambda_configuration.timeout
   layers           = [var.aft_common_layer_arn]
 
   vpc_config {
@@ -128,10 +122,8 @@ resource "aws_cloudwatch_log_group" "persist_metadata" {
   retention_in_days = var.cloudwatch_log_group_retention
 }
 
-###  Account Metadata SSM Function
-
-
 
+###  Account Metadata SSM Function
 resource "aws_lambda_function" "account_metadata_ssm" {
   filename         = var.provisioning_framework_archive_path
   function_name    = "aft-account-provisioning-framework-account-metadata-ssm"
@@ -139,9 +131,9 @@ resource "aws_lambda_function" "account_metadata_ssm" {
   role             = aws_iam_role.aft_lambda_aft_account_provisioning_framework_persist_metadata.arn
   handler          = "aft_account_provisioning_framework_account_metadata_ssm.lambda_handler"
   source_code_hash = var.provisioning_framework_archive_hash
-  memory_size      = 1024
-  runtime          = "python3.8"
-  timeout          = 300
+  memory_size      = var.lambda_configuration.memory_size
+  runtime          = var.lambda_configuration.runtime
+  timeout          = var.lambda_configuration.timeout
   layers           = [var.aft_common_layer_arn]
 
   vpc_config {
diff --git a/modules/aft-account-provisioning-framework/outputs.tf b/modules/aft-account-provisioning-framework/outputs.tf
index e491356e..e860b968 100644
--- a/modules/aft-account-provisioning-framework/outputs.tf
+++ b/modules/aft-account-provisioning-framework/outputs.tf
@@ -4,7 +4,6 @@
 output "state_machine_arn" {
   value = aws_sfn_state_machine.aft_account_provisioning_framework_sfn.arn
 }
-
 output "validate_request_function_arn" {
   value = aws_lambda_function.validate_request.arn
 }
diff --git a/modules/aft-account-provisioning-framework/readme.md b/modules/aft-account-provisioning-framework/readme.md
new file mode 100644
index 00000000..917d0792
--- /dev/null
+++ b/modules/aft-account-provisioning-framework/readme.md
@@ -0,0 +1,85 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.72, < 4.0.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.72, < 4.0.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_log_group.account_metadata_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.create_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.get_account_info](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.persist_metadata](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.tag_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.validate_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_iam_role.aft_lambda_aft_account_provisioning_framework_create_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.aft_lambda_aft_account_provisioning_framework_get_account_info](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.aft_lambda_aft_account_provisioning_framework_persist_metadata](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.aft_lambda_aft_account_provisioning_framework_tag_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.aft_lambda_aft_account_provisioning_framework_validate_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.aft_states](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.aft_invoke_aft_account_provisioning_framework_create_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.aft_invoke_aft_account_provisioning_framework_get_account_info](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.aft_invoke_aft_account_provisioning_framework_persist_metadata](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.aft_invoke_aft_account_provisioning_framework_tag_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.aft_invoke_aft_account_provisioning_framework_validate_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.aft_states](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy_attachment.aft_account_provisioning_framework_create_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.aft_account_provisioning_framework_get_account_info](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.aft_account_provisioning_framework_persist_metadata](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.aft_account_provisioning_framework_tag_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.aft_account_provisioning_framework_validate_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_lambda_function.account_metadata_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_lambda_function.create_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_lambda_function.get_account_info](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_lambda_function.persist_metadata](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_lambda_function.tag_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_lambda_function.validate_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_sfn_state_machine.aft_account_provisioning_framework_sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sfn_state_machine) | resource |
+| [aws_caller_identity.aft_management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy.AWSLambdaBasicExecutionRole](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy.AWSLambdaVPCAccessExecutionRole](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_region.aft_management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aft_account_provisioning_customizations_sfn_name"></a> [aft\_account\_provisioning\_customizations\_sfn\_name](#input\_aft\_account\_provisioning\_customizations\_sfn\_name) | n/a | `string` | n/a | yes |
+| <a name="input_aft_account_provisioning_framework_sfn_name"></a> [aft\_account\_provisioning\_framework\_sfn\_name](#input\_aft\_account\_provisioning\_framework\_sfn\_name) | Copyright Amazon.com, Inc. or its affiliates. All rights reserved. SPDX-License-Identifier: Apache-2.0 | `string` | n/a | yes |
+| <a name="input_aft_common_layer_arn"></a> [aft\_common\_layer\_arn](#input\_aft\_common\_layer\_arn) | n/a | `string` | n/a | yes |
+| <a name="input_aft_failure_sns_topic_arn"></a> [aft\_failure\_sns\_topic\_arn](#input\_aft\_failure\_sns\_topic\_arn) | n/a | `string` | n/a | yes |
+| <a name="input_aft_features_sfn_name"></a> [aft\_features\_sfn\_name](#input\_aft\_features\_sfn\_name) | n/a | `string` | n/a | yes |
+| <a name="input_aft_kms_key_arn"></a> [aft\_kms\_key\_arn](#input\_aft\_kms\_key\_arn) | n/a | `string` | n/a | yes |
+| <a name="input_aft_sns_topic_arn"></a> [aft\_sns\_topic\_arn](#input\_aft\_sns\_topic\_arn) | n/a | `string` | n/a | yes |
+| <a name="input_aft_vpc_default_sg"></a> [aft\_vpc\_default\_sg](#input\_aft\_vpc\_default\_sg) | n/a | `list(string)` | n/a | yes |
+| <a name="input_aft_vpc_private_subnets"></a> [aft\_vpc\_private\_subnets](#input\_aft\_vpc\_private\_subnets) | n/a | `list(string)` | n/a | yes |
+| <a name="input_cloudwatch_log_group_retention"></a> [cloudwatch\_log\_group\_retention](#input\_cloudwatch\_log\_group\_retention) | n/a | `string` | n/a | yes |
+| <a name="input_lambda_configuration"></a> [lambda\_configuration](#input\_lambda\_configuration) | n/a | <pre>object({<br>    memory_size = string<br>    runtime     = string<br>    timeout     = string<br>  })</pre> | <pre>{<br>  "memory_size": 1024,<br>  "runtime": "python3.8",<br>  "timeout": 300<br>}</pre> | no |
+| <a name="input_provisioning_framework_archive_hash"></a> [provisioning\_framework\_archive\_hash](#input\_provisioning\_framework\_archive\_hash) | n/a | `string` | n/a | yes |
+| <a name="input_provisioning_framework_archive_path"></a> [provisioning\_framework\_archive\_path](#input\_provisioning\_framework\_archive\_path) | n/a | `string` | n/a | yes |
+| <a name="input_trigger_customizations_sfn_name"></a> [trigger\_customizations\_sfn\_name](#input\_trigger\_customizations\_sfn\_name) | n/a | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_create_role_function_arn"></a> [create\_role\_function\_arn](#output\_create\_role\_function\_arn) | n/a |
+| <a name="output_get_account_info_function_arn"></a> [get\_account\_info\_function\_arn](#output\_get\_account\_info\_function\_arn) | n/a |
+| <a name="output_persist_metadata_function_arn"></a> [persist\_metadata\_function\_arn](#output\_persist\_metadata\_function\_arn) | n/a |
+| <a name="output_state_machine_arn"></a> [state\_machine\_arn](#output\_state\_machine\_arn) | Copyright Amazon.com, Inc. or its affiliates. All rights reserved. SPDX-License-Identifier: Apache-2.0 |
+| <a name="output_tag_account_function_arn"></a> [tag\_account\_function\_arn](#output\_tag\_account\_function\_arn) | n/a |
+| <a name="output_validate_request_function_arn"></a> [validate\_request\_function\_arn](#output\_validate\_request\_function\_arn) | n/a |
diff --git a/modules/aft-account-provisioning-framework/variables.tf b/modules/aft-account-provisioning-framework/variables.tf
index 05f55222..d245cfb8 100644
--- a/modules/aft-account-provisioning-framework/variables.tf
+++ b/modules/aft-account-provisioning-framework/variables.tf
@@ -52,3 +52,16 @@ variable "provisioning_framework_archive_path" {
 variable "provisioning_framework_archive_hash" {
   type = string
 }
+
+variable "lambda_configuration" {
+  type = object({
+    memory_size = string
+    runtime     = string
+    timeout     = string
+  })
+  default = {
+    memory_size = 1024
+    runtime     = "python3.8"
+    timeout     = 300
+  }
+}
diff --git a/modules/aft-account-request-framework/README.md b/modules/aft-account-request-framework/README.md
index 5c740710..82050e66 100644
--- a/modules/aft-account-request-framework/README.md
+++ b/modules/aft-account-request-framework/README.md
@@ -8,7 +8,6 @@ This module deploys the components responsible for processing an account request
 - Triggering Step Functions based on a request payload
 
 ![Request Processor](../../images/account_request.png)
-
 ## Requirements
 
 | Name | Version |
@@ -95,34 +94,6 @@ No modules.
 | [aws_iam_policy.AWSLambdaBasicExecutionRole](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_iam_policy.AWSLambdaVPCAccessExecutionRole](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_region.aft-management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
-| [aws_subnet_ids.codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source |
-| [aws_subnet_ids.codecommit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source |
-| [aws_subnet_ids.codepipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source |
-| [aws_subnet_ids.events](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source |
-| [aws_subnet_ids.git-codecommit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source |
-| [aws_subnet_ids.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source |
-| [aws_subnet_ids.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source |
-| [aws_subnet_ids.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source |
-| [aws_subnet_ids.servicecatalog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source |
-| [aws_subnet_ids.sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source |
-| [aws_subnet_ids.sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source |
-| [aws_subnet_ids.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source |
-| [aws_subnet_ids.states](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source |
-| [aws_subnet_ids.sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source |
-| [aws_vpc_endpoint_service.codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
-| [aws_vpc_endpoint_service.codecommit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
-| [aws_vpc_endpoint_service.codepipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
-| [aws_vpc_endpoint_service.events](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
-| [aws_vpc_endpoint_service.git-codecommit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
-| [aws_vpc_endpoint_service.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
-| [aws_vpc_endpoint_service.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
-| [aws_vpc_endpoint_service.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
-| [aws_vpc_endpoint_service.servicecatalog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
-| [aws_vpc_endpoint_service.sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
-| [aws_vpc_endpoint_service.sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
-| [aws_vpc_endpoint_service.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
-| [aws_vpc_endpoint_service.states](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
-| [aws_vpc_endpoint_service.sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
 
 ## Inputs
 
@@ -131,10 +102,12 @@ No modules.
 | <a name="input_account_factory_product_name"></a> [account\_factory\_product\_name](#input\_account\_factory\_product\_name) | Copyright Amazon.com, Inc. or its affiliates. All rights reserved. SPDX-License-Identifier: Apache-2.0 | `string` | n/a | yes |
 | <a name="input_aft_account_provisioning_framework_sfn_name"></a> [aft\_account\_provisioning\_framework\_sfn\_name](#input\_aft\_account\_provisioning\_framework\_sfn\_name) | n/a | `string` | n/a | yes |
 | <a name="input_aft_common_layer_arn"></a> [aft\_common\_layer\_arn](#input\_aft\_common\_layer\_arn) | n/a | `string` | n/a | yes |
+| <a name="input_aft_vpc_default_sg_id"></a> [aft\_vpc\_default\_sg\_id](#input\_aft\_vpc\_default\_sg\_id) | n/a | `string` | n/a | yes |
 | <a name="input_aft_vpc_id"></a> [aft\_vpc\_id](#input\_aft\_vpc\_id) | n/a | `string` | n/a | yes |
 | <a name="input_aft_vpc_private_subnet_ids"></a> [aft\_vpc\_private\_subnet\_ids](#input\_aft\_vpc\_private\_subnet\_ids) | n/a | `list(string)` | n/a | yes |
 | <a name="input_aft_vpc_public_subnet_ids"></a> [aft\_vpc\_public\_subnet\_ids](#input\_aft\_vpc\_public\_subnet\_ids) | n/a | `list(string)` | n/a | yes |
 | <a name="input_cloudwatch_log_group_retention"></a> [cloudwatch\_log\_group\_retention](#input\_cloudwatch\_log\_group\_retention) | n/a | `string` | n/a | yes |
+| <a name="input_lambda_configuration"></a> [lambda\_configuration](#input\_lambda\_configuration) | n/a | <pre>object({<br>    memory_size = string<br>    runtime     = string<br>    timeout     = string<br>  })</pre> | <pre>{<br>  "memory_size": 1024,<br>  "runtime": "python3.8",<br>  "timeout": 300<br>}</pre> | no |
 | <a name="input_request_framework_archive_hash"></a> [request\_framework\_archive\_hash](#input\_request\_framework\_archive\_hash) | n/a | `string` | n/a | yes |
 | <a name="input_request_framework_archive_path"></a> [request\_framework\_archive\_path](#input\_request\_framework\_archive\_path) | n/a | `string` | n/a | yes |
 
diff --git a/modules/aft-account-request-framework/backup.tf b/modules/aft-account-request-framework/backup.tf
index af49d09f..1bdd3b06 100644
--- a/modules/aft-account-request-framework/backup.tf
+++ b/modules/aft-account-request-framework/backup.tf
@@ -5,6 +5,7 @@ resource "aws_backup_vault" "aft_controltower_backup_vault" {
   name        = "aft-controltower-backup-vault"
   kms_key_arn = aws_kms_key.aft.arn
 }
+
 resource "aws_backup_plan" "aft_controltower_backup_plan" {
   name = "aft-controltower-backup-plan"
   rule {
diff --git a/modules/aft-account-request-framework/data.tf b/modules/aft-account-request-framework/data.tf
index ba14ed5b..3007b71b 100644
--- a/modules/aft-account-request-framework/data.tf
+++ b/modules/aft-account-request-framework/data.tf
@@ -20,287 +20,3 @@ data "aws_iam_policy" "AWSLambdaVPCAccessExecutionRole" {
 data "aws_availability_zones" "available" {
   state = "available"
 }
-
-######################################
-# VPC Endpoints
-######################################
-
-#### CodeBuild ####
-
-data "aws_vpc_endpoint_service" "codebuild" {
-  service = "codebuild"
-}
-
-data "aws_subnet_ids" "codebuild" {
-  vpc_id = var.aft_vpc_id
-
-  filter {
-    name   = "subnet-id"
-    values = var.aft_vpc_private_subnet_ids
-  }
-
-  filter {
-    name   = "availability-zone"
-    values = data.aws_vpc_endpoint_service.codebuild.availability_zones
-  }
-}
-
-#### CodeCommit ####
-
-data "aws_vpc_endpoint_service" "codecommit" {
-  service = "codecommit"
-}
-
-data "aws_subnet_ids" "codecommit" {
-  vpc_id = var.aft_vpc_id
-
-  filter {
-    name   = "subnet-id"
-    values = var.aft_vpc_private_subnet_ids
-  }
-
-  filter {
-    name   = "availability-zone"
-    values = data.aws_vpc_endpoint_service.codecommit.availability_zones
-  }
-}
-
-#### git-codecommit ####
-
-data "aws_vpc_endpoint_service" "git-codecommit" {
-  service = "git-codecommit"
-}
-
-data "aws_subnet_ids" "git-codecommit" {
-  vpc_id = var.aft_vpc_id
-
-  filter {
-    name   = "subnet-id"
-    values = var.aft_vpc_private_subnet_ids
-  }
-
-  filter {
-    name   = "availability-zone"
-    values = data.aws_vpc_endpoint_service.git-codecommit.availability_zones
-  }
-}
-
-#### codepipeline ####
-
-data "aws_vpc_endpoint_service" "codepipeline" {
-  service = "codepipeline"
-}
-
-data "aws_subnet_ids" "codepipeline" {
-  vpc_id = var.aft_vpc_id
-
-  filter {
-    name   = "subnet-id"
-    values = var.aft_vpc_private_subnet_ids
-  }
-
-  filter {
-    name   = "availability-zone"
-    values = data.aws_vpc_endpoint_service.codepipeline.availability_zones
-  }
-}
-
-#### servicecatalog ####
-
-data "aws_vpc_endpoint_service" "servicecatalog" {
-  service = "servicecatalog"
-}
-
-data "aws_subnet_ids" "servicecatalog" {
-  vpc_id = var.aft_vpc_id
-
-  filter {
-    name   = "subnet-id"
-    values = var.aft_vpc_private_subnet_ids
-  }
-
-  filter {
-    name   = "availability-zone"
-    values = data.aws_vpc_endpoint_service.servicecatalog.availability_zones
-  }
-}
-
-#### lambda ####
-
-data "aws_vpc_endpoint_service" "lambda" {
-  service = "lambda"
-}
-
-data "aws_subnet_ids" "lambda" {
-  vpc_id = var.aft_vpc_id
-
-  filter {
-    name   = "subnet-id"
-    values = var.aft_vpc_private_subnet_ids
-  }
-
-  filter {
-    name   = "availability-zone"
-    values = data.aws_vpc_endpoint_service.lambda.availability_zones
-  }
-}
-
-#### kms ####
-
-data "aws_vpc_endpoint_service" "kms" {
-  service = "kms"
-}
-
-data "aws_subnet_ids" "kms" {
-  vpc_id = var.aft_vpc_id
-
-  filter {
-    name   = "subnet-id"
-    values = var.aft_vpc_private_subnet_ids
-  }
-
-  filter {
-    name   = "availability-zone"
-    values = data.aws_vpc_endpoint_service.kms.availability_zones
-  }
-}
-
-#### logs ####
-
-data "aws_vpc_endpoint_service" "logs" {
-  service = "logs"
-}
-
-data "aws_subnet_ids" "logs" {
-  vpc_id = var.aft_vpc_id
-
-  filter {
-    name   = "subnet-id"
-    values = var.aft_vpc_private_subnet_ids
-  }
-
-  filter {
-    name   = "availability-zone"
-    values = data.aws_vpc_endpoint_service.logs.availability_zones
-  }
-}
-
-#### events ####
-
-data "aws_vpc_endpoint_service" "events" {
-  service = "events"
-}
-
-data "aws_subnet_ids" "events" {
-  vpc_id = var.aft_vpc_id
-
-  filter {
-    name   = "subnet-id"
-    values = var.aft_vpc_private_subnet_ids
-  }
-
-  filter {
-    name   = "availability-zone"
-    values = data.aws_vpc_endpoint_service.events.availability_zones
-  }
-}
-
-#### states ####
-
-data "aws_vpc_endpoint_service" "states" {
-  service = "states"
-}
-
-data "aws_subnet_ids" "states" {
-  vpc_id = var.aft_vpc_id
-
-  filter {
-    name   = "subnet-id"
-    values = var.aft_vpc_private_subnet_ids
-  }
-
-  filter {
-    name   = "availability-zone"
-    values = data.aws_vpc_endpoint_service.states.availability_zones
-  }
-}
-
-#### ssm ####
-
-data "aws_vpc_endpoint_service" "ssm" {
-  service = "ssm"
-}
-
-data "aws_subnet_ids" "ssm" {
-  vpc_id = var.aft_vpc_id
-
-  filter {
-    name   = "subnet-id"
-    values = var.aft_vpc_private_subnet_ids
-  }
-
-  filter {
-    name   = "availability-zone"
-    values = data.aws_vpc_endpoint_service.ssm.availability_zones
-  }
-}
-
-#### sns ####
-
-data "aws_vpc_endpoint_service" "sns" {
-  service = "sns"
-}
-
-data "aws_subnet_ids" "sns" {
-  vpc_id = var.aft_vpc_id
-
-  filter {
-    name   = "subnet-id"
-    values = var.aft_vpc_private_subnet_ids
-  }
-
-  filter {
-    name   = "availability-zone"
-    values = data.aws_vpc_endpoint_service.sns.availability_zones
-  }
-}
-
-#### sqs ####
-
-data "aws_vpc_endpoint_service" "sqs" {
-  service = "sqs"
-}
-
-data "aws_subnet_ids" "sqs" {
-  vpc_id = var.aft_vpc_id
-
-  filter {
-    name   = "subnet-id"
-    values = var.aft_vpc_private_subnet_ids
-  }
-
-  filter {
-    name   = "availability-zone"
-    values = data.aws_vpc_endpoint_service.sqs.availability_zones
-  }
-}
-
-#### sts ####
-
-data "aws_vpc_endpoint_service" "sts" {
-  service = "sts"
-}
-
-data "aws_subnet_ids" "sts" {
-  vpc_id = var.aft_vpc_id
-
-  filter {
-    name   = "subnet-id"
-    values = var.aft_vpc_private_subnet_ids
-  }
-
-  filter {
-    name   = "availability-zone"
-    values = data.aws_vpc_endpoint_service.sts.availability_zones
-  }
-}
diff --git a/modules/aft-account-request-framework/ddb.tf b/modules/aft-account-request-framework/dynamodb.tf
similarity index 100%
rename from modules/aft-account-request-framework/ddb.tf
rename to modules/aft-account-request-framework/dynamodb.tf
diff --git a/modules/aft-account-request-framework/eventbridge.tf b/modules/aft-account-request-framework/eventbridge.tf
index 9cd8e16d..ebf76155 100644
--- a/modules/aft-account-request-framework/eventbridge.tf
+++ b/modules/aft-account-request-framework/eventbridge.tf
@@ -14,18 +14,27 @@ resource "aws_cloudwatch_event_permission" "control_tower_management_account" {
 
 ######### Control Tower Events - CT Management #########
 resource "aws_cloudwatch_event_rule" "aft_control_tower_events" {
-  provider      = aws.ct_management
-  name          = "aft-capture-ct-events"
-  description   = "Capture ControlTower events"
-  event_pattern = <<EOF
-{
-  "source": ["aws.controltower"],
-  "detail-type": ["AWS Service Event via CloudTrail"],
-  "detail": {
-    "eventName": ["SetupLandingZone", "UpdateLandingZone", "RegisterOrganizationalUnit", "DeregisterOrganizationalUnit", "EnableGuardrail", "DisableGuardrail", "CreateManagedAccount", "UpdateManagedAccount"]
-  }
-}
-EOF
+  provider    = aws.ct_management
+  name        = "aft-capture-ct-events"
+  description = "Capture ControlTower events"
+  event_pattern = jsonencode(
+    {
+      "source" : ["aws.controltower"],
+      "detail-type" : ["AWS Service Event via CloudTrail"],
+      "detail" : {
+        "eventName" : [
+          "SetupLandingZone",
+          "UpdateLandingZone",
+          "RegisterOrganizationalUnit",
+          "DeregisterOrganizationalUnit",
+          "EnableGuardrail",
+          "DisableGuardrail",
+          "CreateManagedAccount",
+          "UpdateManagedAccount"
+        ]
+      }
+    }
+  )
 }
 
 resource "aws_cloudwatch_event_target" "aft_management_event_bus" {
@@ -40,11 +49,11 @@ resource "aws_cloudwatch_event_rule" "aft_controltower_event_trigger" {
   name           = "aft-controltower-event-logger"
   description    = "Send CT Events to Lambda"
   event_bus_name = aws_cloudwatch_event_bus.aft_from_ct_management.name
-  event_pattern  = <<EOF
-{
-  "account": ["${data.aws_caller_identity.ct-management.account_id}"]
-}
-EOF
+  event_pattern = jsonencode(
+    {
+      "account" : [data.aws_caller_identity.ct-management.account_id]
+    }
+  )
 }
 
 resource "aws_cloudwatch_event_target" "aft_controltower_event_logger" {
@@ -53,8 +62,7 @@ resource "aws_cloudwatch_event_target" "aft_controltower_event_logger" {
   event_bus_name = aws_cloudwatch_event_bus.aft_from_ct_management.name
 }
 
-######### AFT invoke AFT Account Provisioning Framework ######### 
-
+######### AFT invoke AFT Account Provisioning Framework #########
 resource "aws_cloudwatch_event_target" "aft_invoke_aft_account_provisioning_framework" {
   rule           = aws_cloudwatch_event_rule.aft_controltower_event_trigger.name
   arn            = aws_lambda_function.aft_invoke_aft_account_provisioning_framework.arn
diff --git a/modules/aft-account-request-framework/lambda.tf b/modules/aft-account-request-framework/lambda.tf
index d32fca5e..070e4ba1 100644
--- a/modules/aft-account-request-framework/lambda.tf
+++ b/modules/aft-account-request-framework/lambda.tf
@@ -1,8 +1,8 @@
 # Copyright Amazon.com, Inc. or its affiliates. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 #
-######## aft_account_request_audit_trigger ########
 
+######## aft_account_request_audit_trigger ########
 resource "aws_lambda_function" "aft_account_request_audit_trigger" {
 
   filename      = var.request_framework_archive_path
@@ -12,9 +12,9 @@ resource "aws_lambda_function" "aft_account_request_audit_trigger" {
   handler       = "aft_account_request_audit_trigger.lambda_handler"
 
   source_code_hash = var.request_framework_archive_hash
-  memory_size      = 1024
-  runtime          = "python3.8"
-  timeout          = "300"
+  memory_size      = var.lambda_configuration.memory_size
+  runtime          = var.lambda_configuration.runtime
+  timeout          = var.lambda_configuration.timeout
   layers           = [var.aft_common_layer_arn]
 
   vpc_config {
@@ -44,8 +44,6 @@ resource "aws_cloudwatch_log_group" "aft_account_request_audit_trigger" {
 }
 
 ######## aft_account_request_action_trigger ########
-
-
 resource "aws_lambda_function" "aft_account_request_action_trigger" {
 
   filename      = var.request_framework_archive_path
@@ -55,9 +53,9 @@ resource "aws_lambda_function" "aft_account_request_action_trigger" {
   handler       = "aft_account_request_action_trigger.lambda_handler"
 
   source_code_hash = var.request_framework_archive_hash
-  memory_size      = 1024
-  runtime          = "python3.8"
-  timeout          = "300"
+  memory_size      = var.lambda_configuration.memory_size
+  runtime          = var.lambda_configuration.runtime
+  timeout          = var.lambda_configuration.timeout
   layers           = [var.aft_common_layer_arn]
 
   vpc_config {
@@ -81,8 +79,6 @@ resource "aws_cloudwatch_log_group" "aft_account_request_action_trigger" {
 }
 
 ######## aft_controltower_event_logger ########
-
-
 resource "aws_lambda_function" "aft_controltower_event_logger" {
 
   filename      = var.request_framework_archive_path
@@ -92,9 +88,9 @@ resource "aws_lambda_function" "aft_controltower_event_logger" {
   handler       = "aft_controltower_event_logger.lambda_handler"
 
   source_code_hash = var.request_framework_archive_hash
-  memory_size      = 1024
-  runtime          = "python3.8"
-  timeout          = "300"
+  memory_size      = var.lambda_configuration.memory_size
+  runtime          = var.lambda_configuration.runtime
+  timeout          = var.lambda_configuration.timeout
   layers           = [var.aft_common_layer_arn]
 
   vpc_config {
@@ -117,8 +113,6 @@ resource "aws_cloudwatch_log_group" "aft_controltower_event_logger" {
 }
 
 ######## aft_account_request_processor ########
-
-
 resource "aws_lambda_function" "aft_account_request_processor" {
 
   filename      = var.request_framework_archive_path
@@ -128,9 +122,9 @@ resource "aws_lambda_function" "aft_account_request_processor" {
   handler       = "aft_account_request_processor.lambda_handler"
 
   source_code_hash = var.request_framework_archive_hash
-  memory_size      = 1024
-  runtime          = "python3.8"
-  timeout          = "300"
+  memory_size      = var.lambda_configuration.memory_size
+  runtime          = var.lambda_configuration.runtime
+  timeout          = var.lambda_configuration.timeout
   layers           = [var.aft_common_layer_arn]
 
   vpc_config {
@@ -154,8 +148,6 @@ resource "aws_cloudwatch_log_group" "aft_account_request_processor" {
 }
 
 ######## aft_invoke_aft_account_provisioning_framework ########
-
-
 resource "aws_lambda_function" "aft_invoke_aft_account_provisioning_framework" {
 
   filename      = var.request_framework_archive_path
@@ -165,9 +157,9 @@ resource "aws_lambda_function" "aft_invoke_aft_account_provisioning_framework" {
   handler       = "aft_invoke_aft_account_provisioning_framework.lambda_handler"
 
   source_code_hash = var.request_framework_archive_hash
-  memory_size      = 1024
-  runtime          = "python3.8"
-  timeout          = "300"
+  memory_size      = var.lambda_configuration.memory_size
+  runtime          = var.lambda_configuration.runtime
+  timeout          = var.lambda_configuration.timeout
   layers           = [var.aft_common_layer_arn]
 
   vpc_config {
diff --git a/modules/aft-account-request-framework/outputs.tf b/modules/aft-account-request-framework/outputs.tf
index 74c71533..fffe479c 100644
--- a/modules/aft-account-request-framework/outputs.tf
+++ b/modules/aft-account-request-framework/outputs.tf
@@ -44,30 +44,40 @@ output "invoke_aft_account_provisioning_framework_function_arn" {
 output "request_queue_name" {
   value = aws_sqs_queue.aft_account_request.name
 }
+
 output "request_table_name" {
   value = aws_dynamodb_table.aft_request.name
 }
+
 output "request_audit_table_name" {
   value = aws_dynamodb_table.aft_request_audit.name
 }
+
 output "request_metadata_table_name" {
   value = aws_dynamodb_table.aft_request_metadata.name
 }
+
 output "controltower_events_table_name" {
   value = aws_dynamodb_table.aft_controltower_events.name
 }
+
 output "account_factory_product_name" {
   value = var.account_factory_product_name
 }
+
 output "invoke_aft_account_provisioning_framework_lambda_function_name" {
   value = aws_lambda_function.aft_invoke_aft_account_provisioning_framework.function_name
 }
+
 output "aft_account_provisioning_framework_sfn_name" {
   value = var.aft_account_provisioning_framework_sfn_name
 }
+
 output "aft_sns_topic_arn" {
   value = aws_sns_topic.aft_notifications.arn
 }
+
 output "aft_failure_sns_topic_arn" {
   value = aws_sns_topic.aft_failure_notifications.arn
 }
+
diff --git a/modules/aft-account-request-framework/variables.tf b/modules/aft-account-request-framework/variables.tf
index c69606a7..b38581a7 100644
--- a/modules/aft-account-request-framework/variables.tf
+++ b/modules/aft-account-request-framework/variables.tf
@@ -39,4 +39,17 @@ variable "aft_vpc_public_subnet_ids" {
 
 variable "aft_vpc_default_sg_id" {
   type = string
-}
\ No newline at end of file
+}
+
+variable "lambda_configuration" {
+  type = object({
+    memory_size = string
+    runtime     = string
+    timeout     = string
+  })
+  default = {
+    memory_size = 1024
+    runtime     = "python3.8"
+    timeout     = 300
+  }
+}
diff --git a/modules/aft-archives/readme.md b/modules/aft-archives/readme.md
new file mode 100644
index 00000000..f4b73989
--- /dev/null
+++ b/modules/aft-archives/readme.md
@@ -0,0 +1,42 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_archive"></a> [archive](#provider\_archive) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [archive_file.builder](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
+| [archive_file.customizations](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
+| [archive_file.feature_options](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
+| [archive_file.provisioning_framework](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
+| [archive_file.request_framework](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_builder_archive_hash"></a> [builder\_archive\_hash](#output\_builder\_archive\_hash) | n/a |
+| <a name="output_builder_archive_path"></a> [builder\_archive\_path](#output\_builder\_archive\_path) | n/a |
+| <a name="output_customizations_archive_hash"></a> [customizations\_archive\_hash](#output\_customizations\_archive\_hash) | n/a |
+| <a name="output_customizations_archive_path"></a> [customizations\_archive\_path](#output\_customizations\_archive\_path) | n/a |
+| <a name="output_feature_options_archive_hash"></a> [feature\_options\_archive\_hash](#output\_feature\_options\_archive\_hash) | n/a |
+| <a name="output_feature_options_archive_path"></a> [feature\_options\_archive\_path](#output\_feature\_options\_archive\_path) | n/a |
+| <a name="output_provisioning_framework_archive_hash"></a> [provisioning\_framework\_archive\_hash](#output\_provisioning\_framework\_archive\_hash) | n/a |
+| <a name="output_provisioning_framework_archive_path"></a> [provisioning\_framework\_archive\_path](#output\_provisioning\_framework\_archive\_path) | Copyright Amazon.com, Inc. or its affiliates. All rights reserved. SPDX-License-Identifier: Apache-2.0 |
+| <a name="output_request_framework_archive_hash"></a> [request\_framework\_archive\_hash](#output\_request\_framework\_archive\_hash) | n/a |
+| <a name="output_request_framework_archive_path"></a> [request\_framework\_archive\_path](#output\_request\_framework\_archive\_path) | n/a |
diff --git a/modules/aft-backend/main.tf b/modules/aft-backend/main.tf
index 4829ae81..1241ad4a 100644
--- a/modules/aft-backend/main.tf
+++ b/modules/aft-backend/main.tf
@@ -92,125 +92,124 @@ resource "aws_iam_role" "replication" {
   provider = aws.primary_region
   name     = "aft-s3-terraform-backend-replication"
 
-  assume_role_policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
+  assume_role_policy = jsonencode(
     {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": "s3.amazonaws.com"
-      },
-      "Effect": "Allow"
-    }
-  ]
-}
-POLICY
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Action" : "sts:AssumeRole",
+          "Principal" : {
+            "Service" : "s3.amazonaws.com"
+          },
+          "Effect" : "Allow"
+        }
+      ]
+  })
 }
 
 resource "aws_iam_policy" "replication" {
   provider = aws.primary_region
   name     = "aft-s3-terraform-backend-replication-policy"
 
-  policy = <<POLICY
-{
-    "Version": "2012-10-17",
-    "Statement": [
+  policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
         {
-            "Action": [
-                "s3:GetReplicationConfiguration",
-                "s3:ListBucket"
-            ],
-            "Effect": "Allow",
-            "Resource": [
-                "${aws_s3_bucket.primary-backend-bucket.arn}"
-            ]
+          "Action" : [
+            "s3:GetReplicationConfiguration",
+            "s3:ListBucket"
+          ],
+          "Effect" : "Allow",
+          "Resource" : [
+            aws_s3_bucket.primary-backend-bucket.arn
+          ]
         },
         {
-            "Action": [
-                "s3:GetObjectVersionForReplication",
-                "s3:GetObjectVersionAcl",
-                "s3:GetObjectVersionTagging"
-            ],
-            "Effect": "Allow",
-            "Resource": [
-                "${aws_s3_bucket.primary-backend-bucket.arn}/*"
-            ]
+          "Action" : [
+            "s3:GetObjectVersionForReplication",
+            "s3:GetObjectVersionAcl",
+            "s3:GetObjectVersionTagging"
+          ],
+          "Effect" : "Allow",
+          "Resource" : [
+            "${aws_s3_bucket.primary-backend-bucket.arn}/*"
+          ]
         },
         {
-            "Action": [
-                "s3:ReplicateObject",
-                "s3:ReplicateDelete",
-                "s3:ReplicateTags"
-            ],
-            "Effect": "Allow",
-            "Condition": {
-                "StringLikeIfExists": {
-                    "s3:x-amz-server-side-encryption": [
-                        "aws:kms",
-                        "AES256"
-                    ],
-                    "s3:x-amz-server-side-encryption-aws-kms-key-id": [
-                        "${aws_kms_key.encrypt-secondary-region.arn}"
-                    ]
-                }
-            },
-            "Resource": "${aws_s3_bucket.secondary-backend-bucket.arn}/*"
+          "Action" : [
+            "s3:ReplicateObject",
+            "s3:ReplicateDelete",
+            "s3:ReplicateTags"
+          ],
+          "Effect" : "Allow",
+          "Condition" : {
+            "StringLikeIfExists" : {
+              "s3:x-amz-server-side-encryption" : [
+                "aws:kms",
+                "AES256"
+              ],
+              "s3:x-amz-server-side-encryption-aws-kms-key-id" : [
+                aws_kms_key.encrypt-secondary-region.arn
+              ]
+            }
+          },
+          "Resource" : "${aws_s3_bucket.secondary-backend-bucket.arn}/*"
         },
         {
-            "Action": [
-                "kms:Decrypt"
-            ],
-            "Effect": "Allow",
-            "Condition": {
-                "StringLike": {
-                    "kms:ViaService": "s3.${var.primary_region}.amazonaws.com",
-                    "kms:EncryptionContext:aws:s3:arn": [
-                        "${aws_s3_bucket.primary-backend-bucket.arn}/*"
-                    ]
-                }
-            },
-            "Resource": [
-                "${aws_kms_key.encrypt-primary-region.arn}"
-            ]
+          "Action" : [
+            "kms:Decrypt"
+          ],
+          "Effect" : "Allow",
+          "Condition" : {
+            "StringLike" : {
+              "kms:ViaService" : "s3.${var.primary_region}.amazonaws.com",
+              "kms:EncryptionContext:aws:s3:arn" : [
+                "${aws_s3_bucket.primary-backend-bucket.arn}/*"
+              ]
+            }
+          },
+          "Resource" : [
+            aws_kms_key.encrypt-primary-region.arn
+          ]
         },
         {
-            "Action": [
-                "kms:Encrypt"
-            ],
-            "Effect": "Allow",
-            "Condition": {
-                "StringLike": {
-                    "kms:ViaService": "s3.${var.primary_region}.amazonaws.com",
-                    "kms:EncryptionContext:aws:s3:arn": [
-                        "${aws_s3_bucket.primary-backend-bucket.arn}/*"
-                    ]
-                }
-            },
-            "Resource": [
-                "${aws_kms_key.encrypt-primary-region.arn}"
-            ]
+          "Action" : [
+            "kms:Encrypt"
+          ],
+          "Effect" : "Allow",
+          "Condition" : {
+            "StringLike" : {
+              "kms:ViaService" : "s3.${var.primary_region}.amazonaws.com",
+              "kms:EncryptionContext:aws:s3:arn" : [
+                "${aws_s3_bucket.primary-backend-bucket.arn}/*"
+              ]
+            }
+          },
+          "Resource" : [
+            aws_kms_key.encrypt-primary-region.arn
+          ]
         },
         {
-            "Action": [
-                "kms:Encrypt"
-            ],
-            "Effect": "Allow",
-            "Condition": {
-                "StringLike": {
-                    "kms:ViaService": "s3.${var.secondary_region}.amazonaws.com",
-                    "kms:EncryptionContext:aws:s3:arn": [
-                        "${aws_s3_bucket.secondary-backend-bucket.arn}/*"
-                    ]
-                }
-            },
-            "Resource": [
-                "${aws_kms_key.encrypt-secondary-region.arn}"
-            ]
+          "Action" : [
+            "kms:Encrypt"
+          ],
+          "Effect" : "Allow",
+          "Condition" : {
+            "StringLike" : {
+              "kms:ViaService" : "s3.${var.secondary_region}.amazonaws.com",
+              "kms:EncryptionContext:aws:s3:arn" : [
+                "${aws_s3_bucket.secondary-backend-bucket.arn}/*"
+              ]
+            }
+          },
+          "Resource" : [
+            aws_kms_key.encrypt-secondary-region.arn
+          ]
         }
-    ]
-}
-POLICY
+      ]
+    }
+  )
 }
 
 resource "aws_iam_role_policy_attachment" "replication" {
diff --git a/modules/aft-backend/readme.md b/modules/aft-backend/readme.md
new file mode 100644
index 00000000..e1db8a3f
--- /dev/null
+++ b/modules/aft-backend/readme.md
@@ -0,0 +1,50 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.72, < 4.0.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws.primary_region"></a> [aws.primary\_region](#provider\_aws.primary\_region) | >= 3.72, < 4.0.0 |
+| <a name="provider_aws.secondary_region"></a> [aws.secondary\_region](#provider\_aws.secondary\_region) | >= 3.72, < 4.0.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_dynamodb_table.lock-table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |
+| [aws_iam_policy.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_kms_alias.encrypt-alias-primary-region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_alias.encrypt-alias-secondary-region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.encrypt-primary-region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_kms_key.encrypt-secondary-region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_s3_bucket.primary-backend-bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket.secondary-backend-bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_public_access_block.primary-backend-bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_public_access_block.secondary-backend-bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_primary_region"></a> [primary\_region](#input\_primary\_region) | Copyright Amazon.com, Inc. or its affiliates. All rights reserved. SPDX-License-Identifier: Apache-2.0 | `string` | n/a | yes |
+| <a name="input_secondary_region"></a> [secondary\_region](#input\_secondary\_region) | n/a | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_bucket_id"></a> [bucket\_id](#output\_bucket\_id) | The name of the primary bucket. |
+| <a name="output_kms_key_id"></a> [kms\_key\_id](#output\_kms\_key\_id) | The globally unique identifier for the primary key. |
+| <a name="output_table_id"></a> [table\_id](#output\_table\_id) | The name of the primary table. |
diff --git a/modules/aft-code-repositories/codepipeline.tf b/modules/aft-code-repositories/codepipeline.tf
index 3638bdb0..c3548479 100644
--- a/modules/aft-code-repositories/codepipeline.tf
+++ b/modules/aft-code-repositories/codepipeline.tf
@@ -71,31 +71,31 @@ resource "aws_cloudwatch_event_rule" "account_request" {
   name        = "aft-account-request-codepipeline-trigger"
   description = "Trigger CodePipeline upon commit"
 
-  event_pattern = <<EOF
-{
-  "source": [
-    "aws.codecommit"
-  ],
-  "detail-type": [
-    "CodeCommit Repository State Change"
-  ],
-  "resources": [
-    "${aws_codecommit_repository.account_request[0].arn}"
-  ],
-  "detail": {
-    "event": [
-      "referenceCreated",
-      "referenceUpdated"
-    ],
-    "referenceType": [
-      "branch"
-    ],
-    "referenceName": [
-      "${var.account_request_repo_branch}"
-    ]
-  }
-}
-EOF
+  event_pattern = jsonencode(
+    {
+      "source" : [
+        "aws.codecommit"
+      ],
+      "detail-type" : [
+        "CodeCommit Repository State Change"
+      ],
+      "resources" : [
+        aws_codecommit_repository.account_request[0].arn
+      ],
+      "detail" : {
+        "event" : [
+          "referenceCreated",
+          "referenceUpdated"
+        ],
+        "referenceType" : [
+          "branch"
+        ],
+        "referenceName" : [
+          var.account_request_repo_branch
+        ]
+      }
+    }
+  )
 }
 
 resource "aws_cloudwatch_event_target" "account_request" {
@@ -308,31 +308,31 @@ resource "aws_cloudwatch_event_rule" "account_provisioning_customizations" {
   name        = "aft-account-provisioning-customizations-trigger"
   description = "Trigger CodePipeline upon commit"
 
-  event_pattern = <<EOF
-{
-  "source": [
-    "aws.codecommit"
-  ],
-  "detail-type": [
-    "CodeCommit Repository State Change"
-  ],
-  "resources": [
-    "${aws_codecommit_repository.account_provisioning_customizations[0].arn}"
-  ],
-  "detail": {
-    "event": [
-      "referenceCreated",
-      "referenceUpdated"
-    ],
-    "referenceType": [
-      "branch"
-    ],
-    "referenceName": [
-      "${var.account_provisioning_customizations_repo_branch}"
-    ]
-  }
-}
-EOF
+  event_pattern = jsonencode(
+    {
+      "source" : [
+        "aws.codecommit"
+      ],
+      "detail-type" : [
+        "CodeCommit Repository State Change"
+      ],
+      "resources" : [
+        aws_codecommit_repository.account_provisioning_customizations[0].arn
+      ],
+      "detail" : {
+        "event" : [
+          "referenceCreated",
+          "referenceUpdated"
+        ],
+        "referenceType" : [
+          "branch"
+        ],
+        "referenceName" : [
+          var.account_provisioning_customizations_repo_branch
+        ]
+      }
+    }
+  )
 }
 
 resource "aws_cloudwatch_event_target" "account_provisioning_customizations" {
diff --git a/modules/aft-code-repositories/readme.md b/modules/aft-code-repositories/readme.md
new file mode 100644
index 00000000..2abb6520
--- /dev/null
+++ b/modules/aft-code-repositories/readme.md
@@ -0,0 +1,91 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.72, < 4.0.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.72, < 4.0.0 |
+| <a name="provider_local"></a> [local](#provider\_local) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_event_rule.account_provisioning_customizations](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
+| [aws_cloudwatch_event_rule.account_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
+| [aws_cloudwatch_event_target.account_provisioning_customizations](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
+| [aws_cloudwatch_event_target.account_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
+| [aws_cloudwatch_log_group.account_provisioning_customizations](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.account_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_codebuild_project.account_provisioning_customizations_pipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource |
+| [aws_codebuild_project.account_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource |
+| [aws_codecommit_repository.account_customizations](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codecommit_repository) | resource |
+| [aws_codecommit_repository.account_provisioning_customizations](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codecommit_repository) | resource |
+| [aws_codecommit_repository.account_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codecommit_repository) | resource |
+| [aws_codecommit_repository.global_customizations](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codecommit_repository) | resource |
+| [aws_codepipeline.codecommit_account_provisioning_customizations](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codepipeline) | resource |
+| [aws_codepipeline.codecommit_account_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codepipeline) | resource |
+| [aws_codepipeline.codestar_account_provisioning_customizations](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codepipeline) | resource |
+| [aws_codepipeline.codestar_account_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codepipeline) | resource |
+| [aws_codestarconnections_connection.bitbucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codestarconnections_connection) | resource |
+| [aws_codestarconnections_connection.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codestarconnections_connection) | resource |
+| [aws_codestarconnections_connection.githubenterprise](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codestarconnections_connection) | resource |
+| [aws_codestarconnections_host.githubenterprise](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codestarconnections_host) | resource |
+| [aws_iam_role.account_provisioning_customizations_codebuild_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.account_provisioning_customizations_codepipeline_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.account_request_codebuild_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.account_request_codepipeline_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.cloudwatch_events_codepipeline_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.account_provisioning_customizations_codebuild_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.account_provisioning_customizations_codepipeline_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.account_request_codebuild_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.account_request_codepipeline_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.cloudwatch_events_codepipeline_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.terraform_oss_backend_account_provisioning_customizations_codebuild_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.terraform_oss_backend_account_request_codebuild_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [local_file.account_provisioning_customizations_buildspec](https://registry.terraform.io/providers/hashicorp/local/latest/docs/data-sources/file) | data source |
+| [local_file.account_request_buildspec](https://registry.terraform.io/providers/hashicorp/local/latest/docs/data-sources/file) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_customizations_repo_branch"></a> [account\_customizations\_repo\_branch](#input\_account\_customizations\_repo\_branch) | n/a | `string` | n/a | yes |
+| <a name="input_account_customizations_repo_name"></a> [account\_customizations\_repo\_name](#input\_account\_customizations\_repo\_name) | n/a | `string` | n/a | yes |
+| <a name="input_account_provisioning_customizations_repo_branch"></a> [account\_provisioning\_customizations\_repo\_branch](#input\_account\_provisioning\_customizations\_repo\_branch) | n/a | `string` | n/a | yes |
+| <a name="input_account_provisioning_customizations_repo_name"></a> [account\_provisioning\_customizations\_repo\_name](#input\_account\_provisioning\_customizations\_repo\_name) | n/a | `string` | n/a | yes |
+| <a name="input_account_request_repo_branch"></a> [account\_request\_repo\_branch](#input\_account\_request\_repo\_branch) | n/a | `string` | n/a | yes |
+| <a name="input_account_request_repo_name"></a> [account\_request\_repo\_name](#input\_account\_request\_repo\_name) | n/a | `string` | n/a | yes |
+| <a name="input_account_request_table_name"></a> [account\_request\_table\_name](#input\_account\_request\_table\_name) | n/a | `string` | n/a | yes |
+| <a name="input_aft_config_backend_bucket_id"></a> [aft\_config\_backend\_bucket\_id](#input\_aft\_config\_backend\_bucket\_id) | n/a | `string` | n/a | yes |
+| <a name="input_aft_config_backend_kms_key_id"></a> [aft\_config\_backend\_kms\_key\_id](#input\_aft\_config\_backend\_kms\_key\_id) | n/a | `string` | n/a | yes |
+| <a name="input_aft_config_backend_table_id"></a> [aft\_config\_backend\_table\_id](#input\_aft\_config\_backend\_table\_id) | n/a | `string` | n/a | yes |
+| <a name="input_aft_key_arn"></a> [aft\_key\_arn](#input\_aft\_key\_arn) | n/a | `string` | n/a | yes |
+| <a name="input_codepipeline_s3_bucket_arn"></a> [codepipeline\_s3\_bucket\_arn](#input\_codepipeline\_s3\_bucket\_arn) | n/a | `string` | n/a | yes |
+| <a name="input_codepipeline_s3_bucket_name"></a> [codepipeline\_s3\_bucket\_name](#input\_codepipeline\_s3\_bucket\_name) | n/a | `string` | n/a | yes |
+| <a name="input_github_enterprise_url"></a> [github\_enterprise\_url](#input\_github\_enterprise\_url) | n/a | `string` | n/a | yes |
+| <a name="input_global_customizations_repo_branch"></a> [global\_customizations\_repo\_branch](#input\_global\_customizations\_repo\_branch) | n/a | `string` | n/a | yes |
+| <a name="input_global_customizations_repo_name"></a> [global\_customizations\_repo\_name](#input\_global\_customizations\_repo\_name) | n/a | `string` | n/a | yes |
+| <a name="input_log_group_retention"></a> [log\_group\_retention](#input\_log\_group\_retention) | n/a | `string` | n/a | yes |
+| <a name="input_security_group_ids"></a> [security\_group\_ids](#input\_security\_group\_ids) | n/a | `list(string)` | n/a | yes |
+| <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | n/a | `list(string)` | n/a | yes |
+| <a name="input_terraform_distribution"></a> [terraform\_distribution](#input\_terraform\_distribution) | n/a | `string` | n/a | yes |
+| <a name="input_vcs_provider"></a> [vcs\_provider](#input\_vcs\_provider) | n/a | `string` | n/a | yes |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | Copyright Amazon.com, Inc. or its affiliates. All rights reserved. SPDX-License-Identifier: Apache-2.0 | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_codestar_connection_arn"></a> [codestar\_connection\_arn](#output\_codestar\_connection\_arn) | Copyright Amazon.com, Inc. or its affiliates. All rights reserved. SPDX-License-Identifier: Apache-2.0 |
diff --git a/modules/aft-customizations/readme.md b/modules/aft-customizations/readme.md
new file mode 100644
index 00000000..c6838d56
--- /dev/null
+++ b/modules/aft-customizations/readme.md
@@ -0,0 +1,113 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.72, < 4.0.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.72, < 4.0.0 |
+| <a name="provider_local"></a> [local](#provider\_local) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_log_group.aft_account_customizations_api_helpers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.aft_account_customizations_terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.aft_create_pipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.aft_customizations_identify_targets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.aft_customizations_invoke_account_provisioning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.aft_execute_pipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.aft_get_pipeline_executions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.aft_global_customizations_api_helpers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.aft_global_customizations_terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_codebuild_project.aft_account_customizations_api_helpers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource |
+| [aws_codebuild_project.aft_account_customizations_terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource |
+| [aws_codebuild_project.aft_create_pipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource |
+| [aws_codebuild_project.aft_global_customizations_api_helpers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource |
+| [aws_codebuild_project.aft_global_customizations_terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource |
+| [aws_iam_role.aft_codebuild_customizations_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.aft_codepipeline_customizations_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.aft_customizations_execute_pipeline_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.aft_customizations_get_pipeline_executions_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.aft_customizations_identify_targets_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.aft_customizations_invoke_account_provisioning_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.aft_invoke_customizations_sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.aft_codebuild_customizations_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.aft_codepipeline_customizations_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.aft_customizations_invoke_account_provisioning_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.aft_execute_pipeline_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.aft_get_pipeline_executions_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.aft_identify_targets_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.aft_invoke_customizations_sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.terraform_oss_backend_codebuild_customizations_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy_attachment.aft_customizations_invoke_account_provisioning_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.aft_execute_pipeline_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.aft_get_pipeline_executions_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.aft_identify_targets_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_lambda_function.aft_customizations_execute_pipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_lambda_function.aft_customizations_get_pipeline_executions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_lambda_function.aft_customizations_identify_targets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_lambda_function.aft_customizations_invoke_account_provisioning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_s3_bucket.aft_codepipeline_customizations_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_sfn_state_machine.aft_invoke_customizations_sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sfn_state_machine) | resource |
+| [aws_caller_identity.aft_management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy.AWSLambdaBasicExecutionRole](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy.AWSLambdaVPCAccessExecutionRole](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_region.aft_management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [local_file.aft_account_customizations_api_helpers](https://registry.terraform.io/providers/hashicorp/local/latest/docs/data-sources/file) | data source |
+| [local_file.aft_account_customizations_terraform](https://registry.terraform.io/providers/hashicorp/local/latest/docs/data-sources/file) | data source |
+| [local_file.aft_create_pipeline](https://registry.terraform.io/providers/hashicorp/local/latest/docs/data-sources/file) | data source |
+| [local_file.aft_global_customizations_api_helpers](https://registry.terraform.io/providers/hashicorp/local/latest/docs/data-sources/file) | data source |
+| [local_file.aft_global_customizations_terraform](https://registry.terraform.io/providers/hashicorp/local/latest/docs/data-sources/file) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_request_table_name"></a> [account\_request\_table\_name](#input\_account\_request\_table\_name) | n/a | `string` | n/a | yes |
+| <a name="input_aft_common_layer_arn"></a> [aft\_common\_layer\_arn](#input\_aft\_common\_layer\_arn) | n/a | `string` | n/a | yes |
+| <a name="input_aft_config_backend_bucket_id"></a> [aft\_config\_backend\_bucket\_id](#input\_aft\_config\_backend\_bucket\_id) | n/a | `string` | n/a | yes |
+| <a name="input_aft_config_backend_kms_key_id"></a> [aft\_config\_backend\_kms\_key\_id](#input\_aft\_config\_backend\_kms\_key\_id) | Copyright Amazon.com, Inc. or its affiliates. All rights reserved. SPDX-License-Identifier: Apache-2.0 | `string` | n/a | yes |
+| <a name="input_aft_config_backend_table_id"></a> [aft\_config\_backend\_table\_id](#input\_aft\_config\_backend\_table\_id) | n/a | `string` | n/a | yes |
+| <a name="input_aft_failure_sns_topic_arn"></a> [aft\_failure\_sns\_topic\_arn](#input\_aft\_failure\_sns\_topic\_arn) | n/a | `string` | n/a | yes |
+| <a name="input_aft_kms_key_arn"></a> [aft\_kms\_key\_arn](#input\_aft\_kms\_key\_arn) | n/a | `string` | n/a | yes |
+| <a name="input_aft_kms_key_id"></a> [aft\_kms\_key\_id](#input\_aft\_kms\_key\_id) | n/a | `string` | n/a | yes |
+| <a name="input_aft_sns_topic_arn"></a> [aft\_sns\_topic\_arn](#input\_aft\_sns\_topic\_arn) | n/a | `string` | n/a | yes |
+| <a name="input_aft_tf_aws_customizations_module_git_ref_ssm_path"></a> [aft\_tf\_aws\_customizations\_module\_git\_ref\_ssm\_path](#input\_aft\_tf\_aws\_customizations\_module\_git\_ref\_ssm\_path) | n/a | `string` | n/a | yes |
+| <a name="input_aft_tf_aws_customizations_module_url_ssm_path"></a> [aft\_tf\_aws\_customizations\_module\_url\_ssm\_path](#input\_aft\_tf\_aws\_customizations\_module\_url\_ssm\_path) | n/a | `string` | n/a | yes |
+| <a name="input_aft_tf_backend_region_ssm_path"></a> [aft\_tf\_backend\_region\_ssm\_path](#input\_aft\_tf\_backend\_region\_ssm\_path) | n/a | `string` | n/a | yes |
+| <a name="input_aft_tf_ddb_table_ssm_path"></a> [aft\_tf\_ddb\_table\_ssm\_path](#input\_aft\_tf\_ddb\_table\_ssm\_path) | n/a | `string` | n/a | yes |
+| <a name="input_aft_tf_kms_key_id_ssm_path"></a> [aft\_tf\_kms\_key\_id\_ssm\_path](#input\_aft\_tf\_kms\_key\_id\_ssm\_path) | n/a | `string` | n/a | yes |
+| <a name="input_aft_tf_s3_bucket_ssm_path"></a> [aft\_tf\_s3\_bucket\_ssm\_path](#input\_aft\_tf\_s3\_bucket\_ssm\_path) | n/a | `string` | n/a | yes |
+| <a name="input_aft_tf_version_ssm_path"></a> [aft\_tf\_version\_ssm\_path](#input\_aft\_tf\_version\_ssm\_path) | n/a | `string` | n/a | yes |
+| <a name="input_aft_vpc_default_sg"></a> [aft\_vpc\_default\_sg](#input\_aft\_vpc\_default\_sg) | n/a | `list(string)` | n/a | yes |
+| <a name="input_aft_vpc_id"></a> [aft\_vpc\_id](#input\_aft\_vpc\_id) | n/a | `string` | n/a | yes |
+| <a name="input_aft_vpc_private_subnets"></a> [aft\_vpc\_private\_subnets](#input\_aft\_vpc\_private\_subnets) | n/a | `list(string)` | n/a | yes |
+| <a name="input_cloudwatch_log_group_retention"></a> [cloudwatch\_log\_group\_retention](#input\_cloudwatch\_log\_group\_retention) | n/a | `string` | n/a | yes |
+| <a name="input_customizations_archive_hash"></a> [customizations\_archive\_hash](#input\_customizations\_archive\_hash) | n/a | `string` | n/a | yes |
+| <a name="input_customizations_archive_path"></a> [customizations\_archive\_path](#input\_customizations\_archive\_path) | n/a | `string` | n/a | yes |
+| <a name="input_invoke_account_provisioning_sfn_arn"></a> [invoke\_account\_provisioning\_sfn\_arn](#input\_invoke\_account\_provisioning\_sfn\_arn) | n/a | `string` | n/a | yes |
+| <a name="input_maximum_concurrent_customizations"></a> [maximum\_concurrent\_customizations](#input\_maximum\_concurrent\_customizations) | n/a | `number` | n/a | yes |
+| <a name="input_request_metadata_table_name"></a> [request\_metadata\_table\_name](#input\_request\_metadata\_table\_name) | n/a | `string` | n/a | yes |
+| <a name="input_terraform_distribution"></a> [terraform\_distribution](#input\_terraform\_distribution) | n/a | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_aft_codepipeline_customizations_bucket_arn"></a> [aft\_codepipeline\_customizations\_bucket\_arn](#output\_aft\_codepipeline\_customizations\_bucket\_arn) | n/a |
+| <a name="output_aft_codepipeline_customizations_bucket_name"></a> [aft\_codepipeline\_customizations\_bucket\_name](#output\_aft\_codepipeline\_customizations\_bucket\_name) | n/a |
+| <a name="output_aft_customizations_execute_pipeline_function_arn"></a> [aft\_customizations\_execute\_pipeline\_function\_arn](#output\_aft\_customizations\_execute\_pipeline\_function\_arn) | n/a |
+| <a name="output_aft_customizations_get_pipeline_executions_function_arn"></a> [aft\_customizations\_get\_pipeline\_executions\_function\_arn](#output\_aft\_customizations\_get\_pipeline\_executions\_function\_arn) | n/a |
+| <a name="output_aft_customizations_identify_targets_function_arn"></a> [aft\_customizations\_identify\_targets\_function\_arn](#output\_aft\_customizations\_identify\_targets\_function\_arn) | Copyright Amazon.com, Inc. or its affiliates. All rights reserved. SPDX-License-Identifier: Apache-2.0 |
diff --git a/modules/aft-customizations/variables.tf b/modules/aft-customizations/variables.tf
index f9e62e48..b0cacf13 100644
--- a/modules/aft-customizations/variables.tf
+++ b/modules/aft-customizations/variables.tf
@@ -9,18 +9,7 @@ variable "aft_kms_key_id" {
   type = string
 }
 
-
-
 variable "aft_kms_key_arn" {
-
-
-
-
-
-
-
-
-
   type = string
 }
 
diff --git a/modules/aft-feature-options/lambda.tf b/modules/aft-feature-options/lambda.tf
index a4ae63c8..1403e023 100644
--- a/modules/aft-feature-options/lambda.tf
+++ b/modules/aft-feature-options/lambda.tf
@@ -11,9 +11,9 @@ resource "aws_lambda_function" "aft_delete_default_vpc" {
   handler       = "aft_delete_default_vpc.lambda_handler"
 
   source_code_hash = var.feature_options_archive_hash
-  memory_size      = 1024
-  runtime          = "python3.8"
-  timeout          = "300"
+  memory_size      = var.lambda_configuration.memory_size
+  runtime          = var.lambda_configuration.runtime
+  timeout          = var.lambda_configuration.timeout
   layers           = [var.aft_common_layer_arn]
 
   vpc_config {
@@ -28,7 +28,6 @@ resource "aws_cloudwatch_log_group" "aft_delete_default_vpc" {
   retention_in_days = var.cloudwatch_log_group_retention
 }
 
-
 ######## aft_enroll_support ########
 resource "aws_lambda_function" "aft_enroll_support" {
   provider      = aws.aft_management
@@ -39,9 +38,9 @@ resource "aws_lambda_function" "aft_enroll_support" {
   handler       = "aft_enroll_support.lambda_handler"
 
   source_code_hash = var.feature_options_archive_hash
-  memory_size      = 1024
-  runtime          = "python3.8"
-  timeout          = "300"
+  memory_size      = var.lambda_configuration.memory_size
+  runtime          = var.lambda_configuration.runtime
+  timeout          = var.lambda_configuration.timeout
   layers           = [var.aft_common_layer_arn]
 
   vpc_config {
@@ -66,9 +65,9 @@ resource "aws_lambda_function" "aft_enable_cloudtrail" {
   handler       = "aft_enable_cloudtrail.lambda_handler"
 
   source_code_hash = var.feature_options_archive_hash
-  memory_size      = 1024
-  runtime          = "python3.8"
-  timeout          = "300"
+  memory_size      = var.lambda_configuration.memory_size
+  runtime          = var.lambda_configuration.runtime
+  timeout          = var.lambda_configuration.timeout
   layers           = [var.aft_common_layer_arn]
 
   vpc_config {
diff --git a/modules/aft-feature-options/readme.md b/modules/aft-feature-options/readme.md
new file mode 100644
index 00000000..6ad1d538
--- /dev/null
+++ b/modules/aft-feature-options/readme.md
@@ -0,0 +1,89 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.72, < 4.0.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws.aft_management"></a> [aws.aft\_management](#provider\_aws.aft\_management) | >= 3.72, < 4.0.0 |
+| <a name="provider_aws.audit"></a> [aws.audit](#provider\_aws.audit) | >= 3.72, < 4.0.0 |
+| <a name="provider_aws.ct_management"></a> [aws.ct\_management](#provider\_aws.ct\_management) | >= 3.72, < 4.0.0 |
+| <a name="provider_aws.log_archive"></a> [aws.log\_archive](#provider\_aws.log\_archive) | >= 3.72, < 4.0.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_log_group.aft_delete_default_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.aft_enable_cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.aft_enroll_support](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_iam_role.aft_delete_default_vpc_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.aft_enable_cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.aft_enroll_support](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.aft_features_sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.aft_delete_default_vpc_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.aft_enable_cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.aft_enroll_support](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.aft_features_sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy_attachment.aft_delete_default_vpc_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.aft_enable_cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.aft_enroll_support](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_kms_alias.aft_log_key_alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.aft_log_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_lambda_function.aft_delete_default_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_lambda_function.aft_enable_cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_lambda_function.aft_enroll_support](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_s3_bucket.aft_access_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket.aft_logging_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_policy.aft_logging_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.aft_access_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_public_access_block.aft_logging_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_sfn_state_machine.aft_features](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sfn_state_machine) | resource |
+| [aws_caller_identity.ct_audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_caller_identity.ct_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_caller_identity.ct_management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy.AWSLambdaBasicExecutionRole](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy.AWSLambdaVPCAccessExecutionRole](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_organizations_organization.aft_organization](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aft_common_layer_arn"></a> [aft\_common\_layer\_arn](#input\_aft\_common\_layer\_arn) | n/a | `string` | n/a | yes |
+| <a name="input_aft_failure_sns_topic_arn"></a> [aft\_failure\_sns\_topic\_arn](#input\_aft\_failure\_sns\_topic\_arn) | n/a | `string` | n/a | yes |
+| <a name="input_aft_features_sfn_name"></a> [aft\_features\_sfn\_name](#input\_aft\_features\_sfn\_name) | n/a | `string` | n/a | yes |
+| <a name="input_aft_kms_key_arn"></a> [aft\_kms\_key\_arn](#input\_aft\_kms\_key\_arn) | n/a | `string` | n/a | yes |
+| <a name="input_aft_sns_topic_arn"></a> [aft\_sns\_topic\_arn](#input\_aft\_sns\_topic\_arn) | n/a | `string` | n/a | yes |
+| <a name="input_aft_vpc_default_sg"></a> [aft\_vpc\_default\_sg](#input\_aft\_vpc\_default\_sg) | n/a | `list(string)` | n/a | yes |
+| <a name="input_aft_vpc_private_subnets"></a> [aft\_vpc\_private\_subnets](#input\_aft\_vpc\_private\_subnets) | Copyright Amazon.com, Inc. or its affiliates. All rights reserved. SPDX-License-Identifier: Apache-2.0 | `list(string)` | n/a | yes |
+| <a name="input_cloudwatch_log_group_retention"></a> [cloudwatch\_log\_group\_retention](#input\_cloudwatch\_log\_group\_retention) | n/a | `string` | n/a | yes |
+| <a name="input_feature_options_archive_hash"></a> [feature\_options\_archive\_hash](#input\_feature\_options\_archive\_hash) | n/a | `string` | n/a | yes |
+| <a name="input_feature_options_archive_path"></a> [feature\_options\_archive\_path](#input\_feature\_options\_archive\_path) | n/a | `string` | n/a | yes |
+| <a name="input_lambda_configuration"></a> [lambda\_configuration](#input\_lambda\_configuration) | n/a | <pre>object({<br>    memory_size = string<br>    runtime     = string<br>    timeout     = string<br>  })</pre> | <pre>{<br>  "memory_size": 1024,<br>  "runtime": "python3.8",<br>  "timeout": 300<br>}</pre> | no |
+| <a name="input_log_archive_access_logs_bucket_name"></a> [log\_archive\_access\_logs\_bucket\_name](#input\_log\_archive\_access\_logs\_bucket\_name) | n/a | `string` | n/a | yes |
+| <a name="input_log_archive_account_id"></a> [log\_archive\_account\_id](#input\_log\_archive\_account\_id) | n/a | `string` | n/a | yes |
+| <a name="input_log_archive_bucket_name"></a> [log\_archive\_bucket\_name](#input\_log\_archive\_bucket\_name) | n/a | `string` | n/a | yes |
+| <a name="input_log_archive_bucket_object_expiration_days"></a> [log\_archive\_bucket\_object\_expiration\_days](#input\_log\_archive\_bucket\_object\_expiration\_days) | n/a | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_aws_aft_access_logs_s3_bucket_arn"></a> [aws\_aft\_access\_logs\_s3\_bucket\_arn](#output\_aws\_aft\_access\_logs\_s3\_bucket\_arn) | The ARN of the bucket. Will be of format arn:aws:s3:::bucketname. |
+| <a name="output_aws_aft_access_logs_s3_bucket_id"></a> [aws\_aft\_access\_logs\_s3\_bucket\_id](#output\_aws\_aft\_access\_logs\_s3\_bucket\_id) | The name of the bucket. |
+| <a name="output_aws_aft_access_logs_s3_bucket_region"></a> [aws\_aft\_access\_logs\_s3\_bucket\_region](#output\_aws\_aft\_access\_logs\_s3\_bucket\_region) | The AWS region this bucket resides in. |
+| <a name="output_aws_aft_log_key_arn"></a> [aws\_aft\_log\_key\_arn](#output\_aws\_aft\_log\_key\_arn) | The ARN of the KMS key used to encrypt contents in the Log bucket |
+| <a name="output_aws_aft_logs_s3_bucket_arn"></a> [aws\_aft\_logs\_s3\_bucket\_arn](#output\_aws\_aft\_logs\_s3\_bucket\_arn) | The ARN of the bucket. Will be of format arn:aws:s3:::bucketname. |
+| <a name="output_aws_aft_logs_s3_bucket_id"></a> [aws\_aft\_logs\_s3\_bucket\_id](#output\_aws\_aft\_logs\_s3\_bucket\_id) | The name of the bucket. |
+| <a name="output_aws_aft_logs_s3_bucket_region"></a> [aws\_aft\_logs\_s3\_bucket\_region](#output\_aws\_aft\_logs\_s3\_bucket\_region) | The AWS region this bucket resides in. |
diff --git a/modules/aft-feature-options/variables.tf b/modules/aft-feature-options/variables.tf
index 188ad30a..c838db19 100644
--- a/modules/aft-feature-options/variables.tf
+++ b/modules/aft-feature-options/variables.tf
@@ -48,6 +48,7 @@ variable "log_archive_account_id" {
 variable "aft_features_sfn_name" {
   type = string
 }
+
 variable "feature_options_archive_path" {
   type = string
 }
@@ -55,3 +56,16 @@ variable "feature_options_archive_path" {
 variable "feature_options_archive_hash" {
   type = string
 }
+
+variable "lambda_configuration" {
+  type = object({
+    memory_size = string
+    runtime     = string
+    timeout     = string
+  })
+  default = {
+    memory_size = 1024
+    runtime     = "python3.8"
+    timeout     = 300
+  }
+}
diff --git a/modules/aft-iam-roles/readme.md b/modules/aft-iam-roles/readme.md
new file mode 100644
index 00000000..5372c44e
--- /dev/null
+++ b/modules/aft-iam-roles/readme.md
@@ -0,0 +1,43 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.72, < 4.0.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws.aft_management"></a> [aws.aft\_management](#provider\_aws.aft\_management) | >= 3.72, < 4.0.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_aft_exec_role"></a> [aft\_exec\_role](#module\_aft\_exec\_role) | ./admin-role | n/a |
+| <a name="module_audit_exec_role"></a> [audit\_exec\_role](#module\_audit\_exec\_role) | ./admin-role | n/a |
+| <a name="module_ct_management_exec_role"></a> [ct\_management\_exec\_role](#module\_ct\_management\_exec\_role) | ./admin-role | n/a |
+| <a name="module_log_archive_exec_role"></a> [log\_archive\_exec\_role](#module\_log\_archive\_exec\_role) | ./admin-role | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_role.aft_admin_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.aft_admin_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_caller_identity.aft_management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_aft_admin_role_arn"></a> [aft\_admin\_role\_arn](#output\_aft\_admin\_role\_arn) | Copyright Amazon.com, Inc. or its affiliates. All rights reserved. SPDX-License-Identifier: Apache-2.0 |
+| <a name="output_aft_exec_role_arn"></a> [aft\_exec\_role\_arn](#output\_aft\_exec\_role\_arn) | n/a |
+| <a name="output_audit_exec_role_arn"></a> [audit\_exec\_role\_arn](#output\_audit\_exec\_role\_arn) | n/a |
+| <a name="output_ct_management_exec_role_arn"></a> [ct\_management\_exec\_role\_arn](#output\_ct\_management\_exec\_role\_arn) | n/a |
+| <a name="output_log_archive_exec_role_arn"></a> [log\_archive\_exec\_role\_arn](#output\_log\_archive\_exec\_role\_arn) | n/a |
diff --git a/modules/aft-lambda-layer/lambda.tf b/modules/aft-lambda-layer/lambda.tf
index 9c92d378..44ee74b3 100644
--- a/modules/aft-lambda-layer/lambda.tf
+++ b/modules/aft-lambda-layer/lambda.tf
@@ -21,11 +21,11 @@ resource "aws_lambda_function" "codebuild_invoker" {
 data "aws_lambda_invocation" "invoke_codebuild_job" {
   function_name = aws_lambda_function.codebuild_invoker.function_name
 
-  input = <<JSON
-{
-  "codebuild_project_name": "${aws_codebuild_project.codebuild.name}"
-}
-JSON
+  input = jsonencode(
+    {
+      "codebuild_project_name" : aws_codebuild_project.codebuild.name
+    }
+  )
 }
 
 output "lambda_layer_build_status" {
diff --git a/modules/aft-lambda-layer/outputs.tf b/modules/aft-lambda-layer/outputs.tf
index 1af79401..7edf8275 100644
--- a/modules/aft-lambda-layer/outputs.tf
+++ b/modules/aft-lambda-layer/outputs.tf
@@ -3,4 +3,5 @@
 #
 output "layer_version_arn" {
   value = aws_lambda_layer_version.layer_version.arn
+  description = "the ARN of the lambda layer version"
 }
diff --git a/modules/aft-lambda-layer/readme.md b/modules/aft-lambda-layer/readme.md
index 6ed460d4..93867968 100644
--- a/modules/aft-lambda-layer/readme.md
+++ b/modules/aft-lambda-layer/readme.md
@@ -29,3 +29,67 @@ github_token - Set $TF_VAR_github_token to securely configure this variable with
 # Outputs
 
 layer_version_arn - the ARN of the lambda layer version
+
+###########
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.72, < 4.0.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.72, < 4.0.0 |
+| <a name="provider_local"></a> [local](#provider\_local) | n/a |
+| <a name="provider_random"></a> [random](#provider\_random) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_codebuild_project.codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource |
+| [aws_iam_role.codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.codebuild_invoker_lambda_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.codebuild_invoker_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy_attachment.codebuild_invoker_VPC_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_lambda_function.codebuild_invoker](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_lambda_layer_version.layer_version](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_layer_version) | resource |
+| [random_string.resource_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
+| [aws_caller_identity.session](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_lambda_invocation.invoke_codebuild_job](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/lambda_invocation) | data source |
+| [local_file.aft_lambda_layer](https://registry.terraform.io/providers/hashicorp/local/latest/docs/data-sources/file) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aft_kms_key_arn"></a> [aft\_kms\_key\_arn](#input\_aft\_kms\_key\_arn) | n/a | `string` | n/a | yes |
+| <a name="input_aft_tf_aws_customizations_module_git_ref_ssm_path"></a> [aft\_tf\_aws\_customizations\_module\_git\_ref\_ssm\_path](#input\_aft\_tf\_aws\_customizations\_module\_git\_ref\_ssm\_path) | n/a | `string` | n/a | yes |
+| <a name="input_aft_tf_aws_customizations_module_url_ssm_path"></a> [aft\_tf\_aws\_customizations\_module\_url\_ssm\_path](#input\_aft\_tf\_aws\_customizations\_module\_url\_ssm\_path) | n/a | `string` | n/a | yes |
+| <a name="input_aft_version"></a> [aft\_version](#input\_aft\_version) | n/a | `string` | n/a | yes |
+| <a name="input_aft_vpc_default_sg"></a> [aft\_vpc\_default\_sg](#input\_aft\_vpc\_default\_sg) | n/a | `list(string)` | n/a | yes |
+| <a name="input_aft_vpc_id"></a> [aft\_vpc\_id](#input\_aft\_vpc\_id) | n/a | `string` | n/a | yes |
+| <a name="input_aft_vpc_private_subnets"></a> [aft\_vpc\_private\_subnets](#input\_aft\_vpc\_private\_subnets) | n/a | `list(string)` | n/a | yes |
+| <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | The region to deploy the layer in | `string` | n/a | yes |
+| <a name="input_builder_archive_hash"></a> [builder\_archive\_hash](#input\_builder\_archive\_hash) | n/a | `string` | n/a | yes |
+| <a name="input_builder_archive_path"></a> [builder\_archive\_path](#input\_builder\_archive\_path) | n/a | `string` | n/a | yes |
+| <a name="input_lambda_layer_codebuild_delay"></a> [lambda\_layer\_codebuild\_delay](#input\_lambda\_layer\_codebuild\_delay) | n/a | `string` | n/a | yes |
+| <a name="input_lambda_layer_name"></a> [lambda\_layer\_name](#input\_lambda\_layer\_name) | The name of the lambda layer | `string` | n/a | yes |
+| <a name="input_lambda_layer_python_version"></a> [lambda\_layer\_python\_version](#input\_lambda\_layer\_python\_version) | Major python version. Defaults to 3.8 | `string` | `"python3.8"` | no |
+| <a name="input_s3_bucket_name"></a> [s3\_bucket\_name](#input\_s3\_bucket\_name) | n/a | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_lambda_layer_build_status"></a> [lambda\_layer\_build\_status](#output\_lambda\_layer\_build\_status) | n/a |
+| <a name="output_layer_version_arn"></a> [layer\_version\_arn](#output\_layer\_version\_arn) | the ARN of the lambda layer version |
diff --git a/modules/aft-lambda-layer/variables.tf b/modules/aft-lambda-layer/variables.tf
index ed738906..1f0828a4 100644
--- a/modules/aft-lambda-layer/variables.tf
+++ b/modules/aft-lambda-layer/variables.tf
@@ -3,6 +3,7 @@
 #
 variable "lambda_layer_name" {
   type = string
+  description = "The name of the lambda layer"
   validation {
     condition     = can(regex("^[a-zA-Z0-9\\-]+$", var.lambda_layer_name))
     error_message = "Layer name must contain only alphanumeric characters and hyphens."
@@ -19,6 +20,7 @@ variable "aft_tf_aws_customizations_module_git_ref_ssm_path" {
 
 variable "aws_region" {
   type = string
+  description = "The region to deploy the layer in"
 }
 
 variable "lambda_layer_codebuild_delay" {
@@ -27,6 +29,8 @@ variable "lambda_layer_codebuild_delay" {
 
 variable "lambda_layer_python_version" {
   type = string
+  default = "python3.8"
+  description = "Major python version. Defaults to 3.8"
 }
 
 variable "s3_bucket_name" {
@@ -48,6 +52,7 @@ variable "aft_vpc_private_subnets" {
 variable "aft_vpc_default_sg" {
   type = list(string)
 }
+
 variable "aft_version" {
   type = string
 }
diff --git a/modules/aft-ssm-parameters/readme.md b/modules/aft-ssm-parameters/readme.md
new file mode 100644
index 00000000..b400a633
--- /dev/null
+++ b/modules/aft-ssm-parameters/readme.md
@@ -0,0 +1,34 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.72, < 4.0.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.72, < 4.0.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name                                                                                                                            | Type     |
+|---------------------------------------------------------------------------------------------------------------------------------|----------|
+| [aws_ssm_parameter.no_secure_string](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
+| [aws_ssm_parameter.secure_string](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter)    | resource |
+
+## Inputs
+
+| Name                                                                        | Description | Type                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | Default | Required |
+|-----------------------------------------------------------------------------|-------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|:--------:|
+| <a name="input_not_sensitive"></a> [not\_sensitive](#input\_not\_sensitive) | n/a         | <pre>object({<br>    account_customizations_repo_branch                          = string<br>    account_customizations_repo_name                            = string<br>    account_factory_product_name                                = string<br>    account_provisioning_customizations_repo_branch             = string<br>    account_provisioning_customizations_repo_name               = string<br>    account_request_repo_branch                                 = string<br>    account_request_repo_name                                   = string<br>    aft_account_provisioning_framework_sfn_name                 = string<br>    aft_administrator_role_name                                 = string<br>    aft_config_backend_bucket_id                                = string<br>    aft_config_backend_kms_key_id                               = string<br>    aft_config_backend_primary_region                           = string<br>    aft_config_backend_secondary_region                         = string<br>    aft_config_backend_table_id                                 = string<br>    aft_controltower_events_table_name                          = string<br>    aft_customizations_execute_pipeline_function_arn            = string<br>    aft_customizations_get_pipeline_executions_function_arn     = string<br>    aft_customizations_identify_targets_function_arn            = string<br>    aft_execution_role_name                                     = string<br>    aft_failure_sns_topic_arn                                   = string<br>    aft_feature_cloudtrail_data_events                          = string<br>    aft_feature_delete_default_vpcs_enabled                     = string<br>    aft_feature_enterprise_support                              = string<br>    aft_framework_repo_git_ref                                  = string<br>    aft_framework_repo_url                                      = string<br>    aft_invoke_aft_account_provisioning_framework_function_name = string<br>    aft_log_key_arn                                             = string<br>    aft_logging_bucket_arn                                      = string<br>    aft_management_account_id                                   = string<br>    aft_request_audit_table_name                                = string<br>    aft_request_metadata_table_name                             = string<br>    aft_request_queue_name                                      = string<br>    aft_request_table_name                                      = string<br>    aft_session_name                                            = string<br>    aft_sns_topic_arn                                           = string<br>    aft_version                                                 = string<br>    codestar_connection_arn                                     = string<br>    control_tower_event_logger_function_arn                     = string<br>    create_role_function_arn                                    = string<br>    ct_audit_account_id                                         = string<br>    ct_log_archive_account_id                                   = string<br>    ct_management_account_id                                    = string<br>    ct_primary_region                                           = string<br>    get_account_info_function_arn                               = string<br>    github_enterprise_url                                       = string<br>    global_customizations_repo_branch                           = string<br>    global_customizations_repo_name                             = string<br>    invoke_aft_account_provisioning_framework_function_arn      = string<br>    maximum_concurrent_customizations                           = string<br>    persist_metadata_function_arn                               = string<br>    request_action_trigger_function_arn                         = string<br>    request_audit_trigger_function_arn                          = string<br>    request_processor_function_arn                              = string<br>    tag_account_function_arn                                    = string<br>    terraform_api_endpoint                                      = string<br>    terraform_org_name                                          = string<br>    terraform_version                                           = string<br>    tf_distribution                                             = string<br>    tf_version                                                  = string<br>    validate_request_function_arn                               = string<br>    vcs_provider                                                = string<br>  })</pre> | n/a     |   yes    |
+| <a name="input_sensitive"></a> [sensitive](#input\_sensitive)               | n/a         | <pre>object({<br>    terraform_token = string<br>  })</pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | n/a     |   yes    |
+
+## Outputs
+
+No outputs.
diff --git a/modules/aft-ssm-parameters/ssm.tf b/modules/aft-ssm-parameters/ssm.tf
index 2fa991b4..fd7fb616 100644
--- a/modules/aft-ssm-parameters/ssm.tf
+++ b/modules/aft-ssm-parameters/ssm.tf
@@ -1,368 +1,268 @@
 # Copyright Amazon.com, Inc. or its affiliates. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 #
-resource "aws_ssm_parameter" "aft_request_queue_name" {
-  name  = "/aft/resources/sqs/aft-request-queue-name"
-  type  = "String"
-  value = var.aft_request_queue_name
-}
-
-resource "aws_ssm_parameter" "aft_request_table_name" {
-  name  = "/aft/resources/ddb/aft-request-table-name"
-  type  = "String"
-  value = var.aft_request_table_name
-}
-
-resource "aws_ssm_parameter" "aft_request_audit_table_name" {
-  name  = "/aft/resources/ddb/aft-request-audit-table-name"
-  type  = "String"
-  value = var.aft_request_audit_table_name
-}
-
-resource "aws_ssm_parameter" "aft_request_metadata_table_name" {
-  name  = "/aft/resources/ddb/aft-request-metadata-table-name"
-  type  = "String"
-  value = var.aft_request_metadata_table_name
-}
-
-resource "aws_ssm_parameter" "aft_controltower_events_table_name" {
-  name  = "/aft/resources/ddb/aft-controltower-events-table-name"
-  type  = "String"
-  value = var.aft_controltower_events_table_name
-}
-
-resource "aws_ssm_parameter" "aft_account_factory_product_name" {
-  name  = "/aft/resources/sc/account-factory-product-name"
-  type  = "String"
-  value = var.account_factory_product_name
-}
-
-resource "aws_ssm_parameter" "aft_invoke_aft_account_provisioning_framework_lambda_function_name" {
-  name  = "/aft/resources/lambda/aft-invoke-aft-account-provisioning-framework"
-  type  = "String"
-  value = var.aft_invoke_aft_account_provisioning_framework_function_name
-}
-
-resource "aws_ssm_parameter" "aft_account_provisioning_framework_sfn_name" {
-  name  = "/aft/account/aft-management/sfn/aft-account-provisioning-framework-sfn-name"
-  type  = "String"
-  value = var.aft_account_provisioning_framework_sfn_name
-}
-
-resource "aws_ssm_parameter" "aft_sns_topic_arn" {
-  name  = "/aft/account/aft-management/sns/topic-arn"
-  type  = "String"
-  value = var.aft_sns_topic_arn
-}
-
-resource "aws_ssm_parameter" "aft_failure_sns_topic_arn" {
-  name  = "/aft/account/aft-management/sns/failure-topic-arn"
-  type  = "String"
-  value = var.aft_failure_sns_topic_arn
-}
-
-resource "aws_ssm_parameter" "aft_request_action_trigger_function_arn" {
-  name  = "/aft/resources/lambda/aft-account-request-action-trigger-function-arn"
-  type  = "String"
-  value = var.request_action_trigger_function_arn
-}
-
-resource "aws_ssm_parameter" "request_audit_trigger_function_arn" {
-  name  = "/aft/resources/lambda/aft-account-request-audit-trigger-function-arn"
-  type  = "String"
-  value = var.request_audit_trigger_function_arn
-}
-
-resource "aws_ssm_parameter" "request_processor_function_arn" {
-  name  = "/aft/resources/lambda/aft-account-request-processor-function-arn"
-  type  = "String"
-  value = var.request_processor_function_arn
-}
-
-resource "aws_ssm_parameter" "control_tower_event_logger_function_arn" {
-  name  = "/aft/resources/lambda/aft-controltower-event-logger-function-arn"
-  type  = "String"
-  value = var.control_tower_event_logger_function_arn
-}
-
-resource "aws_ssm_parameter" "invoke_aft_account_provisioning_framework_function_arn" {
-  name  = "/aft/resources/lambda/aft-invoke-aft-account-provisioning-framework-function-arn"
-  type  = "String"
-  value = var.invoke_aft_account_provisioning_framework_function_arn
-}
-
-resource "aws_ssm_parameter" "validate_request_function_arn" {
-  name  = "/aft/resources/lambda/aft-account-provisioning-framework-validate-request-function-arn"
-  type  = "String"
-  value = var.validate_request_function_arn
-}
-
-resource "aws_ssm_parameter" "get_account_info_function_arn" {
-  name  = "/aft/resources/lambda/aft-account-provisioning-framework-get-account-info-function-arn"
-  type  = "String"
-  value = var.get_account_info_function_arn
-}
-
-resource "aws_ssm_parameter" "create_role_function_arn" {
-  name  = "/aft/resources/lambda/aft-account-provisioning-framework-create-role-function-arn"
-  type  = "String"
-  value = var.create_role_function_arn
-}
-
-resource "aws_ssm_parameter" "tag_account_function_arn" {
-  name  = "/aft/resources/lambda/aft-account-provisioning-framework-tag-account-function-arn"
-  type  = "String"
-  value = var.tag_account_function_arn
-}
-
-resource "aws_ssm_parameter" "persist_metadata_function_arn" {
-  name  = "/aft/resources/lambda/aft-account-provisioning-framework-persist-metadata-function-arn"
-  type  = "String"
-  value = var.persist_metadata_function_arn
-}
-
-resource "aws_ssm_parameter" "aft_customizations_identify_targets_function_arn" {
-  name  = "/aft/resources/lambda/aft-customizations-identify-targets-function-arn"
-  type  = "String"
-  value = var.aft_customizations_identify_targets_function_arn
-}
-
-resource "aws_ssm_parameter" "aft_customizations_execute_pipeline_function_arn" {
-  name  = "/aft/resources/lambda/aft-customizations-execute-pipeline-function-arn"
-  type  = "String"
-  value = var.aft_customizations_execute_pipeline_function_arn
-}
-
-resource "aws_ssm_parameter" "aft_customizations_get_pipeline_executions_function_arn" {
-  name  = "/aft/resources/lambda/aft-customizations-get-pipeline-executions-function-arn"
-  type  = "String"
-  value = var.aft_customizations_get_pipeline_executions_function_arn
-}
-
-resource "aws_ssm_parameter" "vcs_provider" {
-  name  = "/aft/config/vcs/provider"
-  type  = "String"
-  value = var.vcs_provider
-}
-
-resource "aws_ssm_parameter" "ct_management_account_id" {
-  name  = "/aft/account/ct-management/account-id"
-  type  = "String"
-  value = var.ct_management_account_id
-}
-
-resource "aws_ssm_parameter" "ct_log_archive_account_id" {
-  name  = "/aft/account/log-archive/account-id"
-  type  = "String"
-  value = var.ct_log_archive_account_id
-}
-
-resource "aws_ssm_parameter" "ct_audit_account_id" {
-  name  = "/aft/account/audit/account-id"
-  type  = "String"
-  value = var.ct_audit_account_id
-}
-
-resource "aws_ssm_parameter" "aft_management_account_id" {
-  name  = "/aft/account/aft-management/account-id"
-  type  = "String"
-  value = var.aft_management_account_id
-}
-
-resource "aws_ssm_parameter" "ct_primary_region" {
-  name  = "/aft/config/ct-management-region"
-  type  = "String"
-  value = var.ct_primary_region
-}
-
-resource "aws_ssm_parameter" "aft_version" {
-  name  = "/aft/config/aft/version"
-  type  = "String"
-  value = var.aft_version
-}
-
-resource "aws_ssm_parameter" "tf_version" {
-  name  = "/aft/config/terraform/version"
-  type  = "String"
-  value = var.tf_version
-}
-
-resource "aws_ssm_parameter" "tf_distribution" {
-  name  = "/aft/config/terraform/distribution"
-  type  = "String"
-  value = var.tf_distribution
-}
-
-resource "aws_ssm_parameter" "terraform_api_endpoint" {
-  name  = "/aft/config/terraform/api-endpoint"
-  type  = "String"
-  value = var.terraform_api_endpoint
-}
-
-resource "aws_ssm_parameter" "terraform_token" {
-  name  = "/aft/config/terraform/token"
+locals {
+  ssm_vars_not_sensitive_strings = [
+    {
+      name  = "/aft/account/aft-management/account-id",
+      value = var.not_sensitive.aft_management_account_id
+    },
+    {
+      name  = "/aft/account/aft-management/sfn/aft-account-provisioning-framework-sfn-name",
+      value = var.not_sensitive.aft_account_provisioning_framework_sfn_name
+    },
+    {
+      name  = "/aft/account/aft-management/sns/failure-topic-arn",
+      value = var.not_sensitive.aft_failure_sns_topic_arn
+    },
+    {
+      name  = "/aft/account/aft-management/sns/topic-arn",
+      value = var.not_sensitive.aft_sns_topic_arn
+    },
+    {
+      name  = "/aft/account/audit/account-id",
+      value = var.not_sensitive.ct_audit_account_id
+    },
+    {
+      name  = "/aft/account/ct-management/account-id",
+      value = var.not_sensitive.ct_management_account_id
+    },
+    {
+      name  = "/aft/account/log-archive/account-id",
+      value = var.not_sensitive.ct_log_archive_account_id
+    },
+    {
+      name  = "/aft/account/log-archive/kms_key_arn",
+      value = var.not_sensitive.aft_log_key_arn
+    },
+    {
+      name  = "/aft/account/log-archive/log_bucket_arn",
+      value = var.not_sensitive.aft_logging_bucket_arn
+    },
+    {
+      name  = "/aft/config/account-customizations/repo-branch",
+      value = var.not_sensitive.account_customizations_repo_branch
+    },
+    {
+      name  = "/aft/config/account-customizations/repo-name",
+      value = var.not_sensitive.account_customizations_repo_name
+    },
+    {
+      name  = "/aft/config/account-provisioning-customizations/repo-branch",
+      value = var.not_sensitive.account_provisioning_customizations_repo_branch
+    },
+    {
+      name  = "/aft/config/account-provisioning-customizations/repo-name",
+      value = var.not_sensitive.account_provisioning_customizations_repo_name
+    },
+    {
+      name  = "/aft/config/account-request/repo-branch",
+      value = var.not_sensitive.account_request_repo_branch
+    },
+    {
+      name  = "/aft/config/account-request/repo-name",
+      value = var.not_sensitive.account_request_repo_name
+    },
+    {
+      name  = "/aft/config/aft-pipeline-code-source/repo-git-ref",
+      value = var.not_sensitive.aft_framework_repo_git_ref
+    },
+    {
+      name  = "/aft/config/aft-pipeline-code-source/repo-url",
+      value = var.not_sensitive.aft_framework_repo_url
+    },
+    {
+      name  = "/aft/config/aft/version",
+      value = var.not_sensitive.aft_version
+    },
+    {
+      name  = "/aft/config/ct-management-region",
+      value = var.not_sensitive.ct_primary_region
+    },
+    {
+      name  = "/aft/config/customizations/maximum_concurrent_customizations",
+      value = var.not_sensitive.maximum_concurrent_customizations
+    },
+    {
+      name  = "/aft/config/feature/cloudtrail-data-events-enabled",
+      value = var.not_sensitive.aft_feature_cloudtrail_data_events
+    },
+    {
+      name  = "/aft/config/feature/delete-default-vpcs-enabled",
+      value = var.not_sensitive.aft_feature_delete_default_vpcs_enabled
+    },
+    {
+      name  = "/aft/config/feature/enterprise-support-enabled",
+      value = var.not_sensitive.aft_feature_enterprise_support
+    },
+    {
+      name  = "/aft/config/global-customizations/repo-branch",
+      value = var.not_sensitive.global_customizations_repo_branch
+    },
+    {
+      name  = "/aft/config/global-customizations/repo-name",
+      value = var.not_sensitive.global_customizations_repo_name
+    },
+    {
+      name  = "/aft/config/oss-backend/bucket-id",
+      value = var.not_sensitive.aft_config_backend_bucket_id
+    },
+    {
+      name  = "/aft/config/oss-backend/kms-key-id",
+      value = var.not_sensitive.aft_config_backend_kms_key_id
+    },
+    {
+      name  = "/aft/config/oss-backend/primary-region",
+      value = var.not_sensitive.aft_config_backend_primary_region
+    },
+    {
+      name  = "/aft/config/oss-backend/secondary-region",
+      value = var.not_sensitive.aft_config_backend_secondary_region
+    },
+    {
+      name  = "/aft/config/oss-backend/table-id",
+      value = var.not_sensitive.aft_config_backend_table_id
+    },
+    {
+      name  = "/aft/config/terraform/api-endpoint",
+      value = var.not_sensitive.terraform_api_endpoint
+    },
+    {
+      name  = "/aft/config/terraform/distribution",
+      value = var.not_sensitive.tf_distribution
+    },
+    {
+      name  = "/aft/config/terraform/org-name",
+      value = var.not_sensitive.terraform_org_name
+    },
+    {
+      name  = "/aft/config/terraform/version",
+      value = var.not_sensitive.tf_version
+    },
+    {
+      name  = "/aft/config/vcs/codestar-connection-arn",
+      value = var.not_sensitive.codestar_connection_arn
+    },
+    {
+      name  = "/aft/config/vcs/github-enterprise-url",
+      value = var.not_sensitive.github_enterprise_url
+    },
+    {
+      name  = "/aft/config/vcs/provider",
+      value = var.not_sensitive.vcs_provider
+    },
+    {
+      name  = "/aft/resources/ddb/aft-controltower-events-table-name",
+      value = var.not_sensitive.aft_controltower_events_table_name
+    },
+    {
+      name  = "/aft/resources/ddb/aft-request-audit-table-name",
+      value = var.not_sensitive.aft_request_audit_table_name
+    },
+    {
+      name  = "/aft/resources/ddb/aft-request-metadata-table-name",
+      value = var.not_sensitive.aft_request_metadata_table_name
+    },
+    {
+      name  = "/aft/resources/ddb/aft-request-table-name",
+      value = var.not_sensitive.aft_request_table_name
+    },
+    {
+      name  = "/aft/resources/iam/aft-administrator-role-name",
+      value = var.not_sensitive.aft_administrator_role_name
+    },
+    {
+      name  = "/aft/resources/iam/aft-execution-role-name",
+      value = var.not_sensitive.aft_execution_role_name
+    },
+    {
+      name  = "/aft/resources/iam/aft-session-name",
+      value = var.not_sensitive.aft_session_name
+    },
+    {
+      name  = "/aft/resources/lambda/aft-account-provisioning-framework-create-role-function-arn",
+      value = var.not_sensitive.create_role_function_arn
+    },
+    {
+      name  = "/aft/resources/lambda/aft-account-provisioning-framework-get-account-info-function-arn",
+      value = var.not_sensitive.get_account_info_function_arn
+    },
+    {
+      name  = "/aft/resources/lambda/aft-account-provisioning-framework-persist-metadata-function-arn",
+      value = var.not_sensitive.persist_metadata_function_arn
+    },
+    {
+      name  = "/aft/resources/lambda/aft-account-provisioning-framework-tag-account-function-arn",
+      value = var.not_sensitive.tag_account_function_arn
+    },
+    {
+      name  = "/aft/resources/lambda/aft-account-provisioning-framework-validate-request-function-arn",
+      value = var.not_sensitive.validate_request_function_arn
+    },
+    {
+      name  = "/aft/resources/lambda/aft-account-request-action-trigger-function-arn",
+      value = var.not_sensitive.request_action_trigger_function_arn
+    },
+    {
+      name  = "/aft/resources/lambda/aft-account-request-audit-trigger-function-arn",
+      value = var.not_sensitive.request_audit_trigger_function_arn
+    },
+    {
+      name  = "/aft/resources/lambda/aft-account-request-processor-function-arn",
+      value = var.not_sensitive.request_processor_function_arn
+    },
+    {
+      name  = "/aft/resources/lambda/aft-controltower-event-logger-function-arn",
+      value = var.not_sensitive.control_tower_event_logger_function_arn
+    },
+    {
+      name  = "/aft/resources/lambda/aft-customizations-execute-pipeline-function-arn",
+      value = var.not_sensitive.aft_customizations_execute_pipeline_function_arn
+    },
+    {
+      name  = "/aft/resources/lambda/aft-customizations-get-pipeline-executions-function-arn",
+      value = var.not_sensitive.aft_customizations_get_pipeline_executions_function_arn
+    },
+    {
+      name  = "/aft/resources/lambda/aft-customizations-identify-targets-function-arn",
+      value = var.not_sensitive.aft_customizations_identify_targets_function_arn
+    },
+    {
+      name  = "/aft/resources/lambda/aft-invoke-aft-account-provisioning-framework",
+      value = var.not_sensitive.aft_invoke_aft_account_provisioning_framework_function_name
+    },
+    {
+      name  = "/aft/resources/lambda/aft-invoke-aft-account-provisioning-framework-function-arn",
+      value = var.not_sensitive.invoke_aft_account_provisioning_framework_function_arn
+    },
+    {
+      name  = "/aft/resources/sc/account-factory-product-name",
+      value = var.not_sensitive.account_factory_product_name
+    },
+    {
+      name  = "/aft/resources/sqs/aft-request-queue-name",
+      value = var.not_sensitive.aft_request_queue_name
+    }
+  ]
+  ssm_vars_sensitive_strings = [
+    {
+      name  = "/aft/config/terraform/token",
+      value = var.sensitive.terraform_token
+    }
+  ]
+}
+
+resource "aws_ssm_parameter" "no_secure_string" {
+  count = length(local.ssm_vars_not_sensitive_strings)
+  name  = local.ssm_vars_not_sensitive_strings[count.index]["name"]
+  value = local.ssm_vars_not_sensitive_strings[count.index]["value"]
   type  = "SecureString"
-  value = var.terraform_token
-}
-
-resource "aws_ssm_parameter" "terraform_org_name" {
-  name  = "/aft/config/terraform/org-name"
-  type  = "String"
-  value = var.terraform_org_name
-}
-
-resource "aws_ssm_parameter" "aft_execution_role_name" {
-  name  = "/aft/resources/iam/aft-execution-role-name"
-  type  = "String"
-  value = var.aft_execution_role_name
-}
-
-resource "aws_ssm_parameter" "aft_administrator_role_name" {
-  name  = "/aft/resources/iam/aft-administrator-role-name"
-  type  = "String"
-  value = var.aft_administrator_role_name
-}
-
-resource "aws_ssm_parameter" "aft_session_name" {
-  name  = "/aft/resources/iam/aft-session-name"
-  type  = "String"
-  value = var.aft_session_name
 }
 
-resource "aws_ssm_parameter" "aft_config_backend_bucket_id" {
-  name  = "/aft/config/oss-backend/bucket-id"
-  type  = "String"
-  value = var.aft_config_backend_bucket_id
-}
-
-resource "aws_ssm_parameter" "aft_config_backend_primary_region" {
-  name  = "/aft/config/oss-backend/primary-region"
-  type  = "String"
-  value = var.aft_config_backend_primary_region
-}
-
-resource "aws_ssm_parameter" "aft_config_backend_secondary_region" {
-  name  = "/aft/config/oss-backend/secondary-region"
-  type  = "String"
-  value = var.aft_config_backend_secondary_region
-}
-
-resource "aws_ssm_parameter" "aft_config_backend_kms_key_id" {
-  name  = "/aft/config/oss-backend/kms-key-id"
-  type  = "String"
-  value = var.aft_config_backend_kms_key_id
-}
-
-resource "aws_ssm_parameter" "aft_config_backend_table_id" {
-  name  = "/aft/config/oss-backend/table-id"
-  type  = "String"
-  value = var.aft_config_backend_table_id
-}
-
-resource "aws_ssm_parameter" "aft_framework_repo_url" {
-  name  = "/aft/config/aft-pipeline-code-source/repo-url"
-  type  = "String"
-  value = var.aft_framework_repo_url
-}
-
-resource "aws_ssm_parameter" "aft_framework_repo_git_ref" {
-  name  = "/aft/config/aft-pipeline-code-source/repo-git-ref"
-  type  = "String"
-  value = var.aft_framework_repo_git_ref
-}
-
-resource "aws_ssm_parameter" "aft_feature_cloudtrail_data_events" {
-  name  = "/aft/config/feature/cloudtrail-data-events-enabled"
-  type  = "String"
-  value = var.aft_feature_cloudtrail_data_events
-}
 
-resource "aws_ssm_parameter" "aft_feature_enterprise_support" {
-  name  = "/aft/config/feature/enterprise-support-enabled"
-  type  = "String"
-  value = var.aft_feature_enterprise_support
-}
-
-resource "aws_ssm_parameter" "aft_feature_delete_default_vpcs_enabled" {
-  name  = "/aft/config/feature/delete-default-vpcs-enabled"
-  type  = "String"
-  value = var.aft_feature_delete_default_vpcs_enabled
-}
-
-resource "aws_ssm_parameter" "account_request_repo_name" {
-  name  = "/aft/config/account-request/repo-name"
-  type  = "String"
-  value = var.account_request_repo_name
-}
-
-resource "aws_ssm_parameter" "account_request_repo_branch" {
-  name  = "/aft/config/account-request/repo-branch"
-  type  = "String"
-  value = var.account_request_repo_branch
-}
-
-resource "aws_ssm_parameter" "global_customizations_repo_name" {
-  name  = "/aft/config/global-customizations/repo-name"
-  type  = "String"
-  value = var.global_customizations_repo_name
-}
-
-resource "aws_ssm_parameter" "global_customizations_repo_branch" {
-  name  = "/aft/config/global-customizations/repo-branch"
-  type  = "String"
-  value = var.global_customizations_repo_branch
-}
-
-resource "aws_ssm_parameter" "account_customizations_repo_name" {
-  name  = "/aft/config/account-customizations/repo-name"
-  type  = "String"
-  value = var.account_customizations_repo_name
-}
-
-resource "aws_ssm_parameter" "account_customizations_repo_branch" {
-  name  = "/aft/config/account-customizations/repo-branch"
-  type  = "String"
-  value = var.account_customizations_repo_branch
-}
-
-resource "aws_ssm_parameter" "account_provisioning_customizations_repo_name" {
-  name  = "/aft/config/account-provisioning-customizations/repo-name"
-  type  = "String"
-  value = var.account_provisioning_customizations_repo_name
-}
-
-resource "aws_ssm_parameter" "account_provisioning_customizations_repo_branch" {
-  name  = "/aft/config/account-provisioning-customizations/repo-branch"
-  type  = "String"
-  value = var.account_provisioning_customizations_repo_branch
-}
-
-resource "aws_ssm_parameter" "codestar_connection_arn" {
-  name  = "/aft/config/vcs/codestar-connection-arn"
-  type  = "String"
-  value = var.codestar_connection_arn
-}
-
-resource "aws_ssm_parameter" "github_enterprise_url" {
-  name  = "/aft/config/vcs/github-enterprise-url"
-  type  = "String"
-  value = var.github_enterprise_url
-}
-
-resource "aws_ssm_parameter" "aft_logging_bucket_arn" {
-  name  = "/aft/account/log-archive/log_bucket_arn"
-  type  = "String"
-  value = var.aft_logging_bucket_arn
-}
-
-resource "aws_ssm_parameter" "aft_log_key_arn" {
-  name  = "/aft/account/log-archive/kms_key_arn"
-  type  = "String"
-  value = var.aft_log_key_arn
-}
-
-resource "aws_ssm_parameter" "aft_maximum_concurrent_customizations" {
-  name  = "/aft/config/customizations/maximum_concurrent_customizations"
-  value = var.maximum_concurrent_customizations
-  type  = "String"
+resource "aws_ssm_parameter" "secure_string" {
+  count = length(local.ssm_vars_sensitive_strings)
+  name  = local.ssm_vars_sensitive_strings[count.index]["name"]
+  value = local.ssm_vars_sensitive_strings[count.index]["value"]
+  type  = "SecureString"
 }
diff --git a/modules/aft-ssm-parameters/variables.tf b/modules/aft-ssm-parameters/variables.tf
index 8782b76a..0ae7a039 100644
--- a/modules/aft-ssm-parameters/variables.tf
+++ b/modules/aft-ssm-parameters/variables.tf
@@ -1,251 +1,94 @@
 # Copyright Amazon.com, Inc. or its affiliates. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 #
-variable "aft_request_queue_name" {
-  type = string
-}
-
-variable "aft_request_table_name" {
-  type = string
-}
-
-variable "aft_request_audit_table_name" {
-  type = string
-}
-
-variable "aft_request_metadata_table_name" {
-  type = string
-}
-
-variable "aft_controltower_events_table_name" {
-  type = string
-}
-
-variable "account_factory_product_name" {
-  type = string
-}
-
-variable "aft_invoke_aft_account_provisioning_framework_function_name" {
-  type = string
-}
-
-variable "aft_account_provisioning_framework_sfn_name" {
-  type = string
-}
-
-variable "aft_sns_topic_arn" {
-  type = string
-}
-
-variable "aft_failure_sns_topic_arn" {
-  type = string
-}
-
-variable "request_action_trigger_function_arn" {
-  type = string
-}
-
-variable "request_audit_trigger_function_arn" {
-  type = string
-}
-
-variable "request_processor_function_arn" {
-  type = string
-}
-
-variable "control_tower_event_logger_function_arn" {
-  type = string
-}
-
-variable "invoke_aft_account_provisioning_framework_function_arn" {
-  type = string
-}
-
-variable "validate_request_function_arn" {
-  type = string
-}
-
-variable "get_account_info_function_arn" {
-  type = string
-}
-
-variable "create_role_function_arn" {
-  type = string
-}
-
-variable "tag_account_function_arn" {
-  type = string
-}
-
-variable "persist_metadata_function_arn" {
-  type = string
-}
-
-variable "aft_customizations_identify_targets_function_arn" {
-  type = string
-}
-
-variable "aft_customizations_execute_pipeline_function_arn" {
-  type = string
-}
-
-variable "aft_customizations_get_pipeline_executions_function_arn" {
-  type = string
-}
-
-variable "vcs_provider" {
-  type = string
-}
-
-variable "ct_management_account_id" {
-  type = string
-}
-
-variable "ct_log_archive_account_id" {
-  type = string
-}
-
-variable "ct_audit_account_id" {
-  type = string
-}
-
-variable "aft_management_account_id" {
-  type = string
-}
-
-variable "ct_primary_region" {
-  type = string
-}
-
-variable "tf_version" {
-  type = string
-}
-
-variable "tf_distribution" {
-  type = string
-}
-
-variable "terraform_api_endpoint" {
-  type = string
-}
-
-variable "terraform_token" {
-  type      = string
-  sensitive = true
-}
-
-variable "account_request_repo_name" {
-  type = string
-}
-
-variable "account_request_repo_branch" {
-  type = string
-}
-
-variable "account_provisioning_customizations_repo_name" {
-  type = string
-}
-
-variable "account_provisioning_customizations_repo_branch" {
-  type = string
-}
-
-variable "terraform_org_name" {
-  type = string
-}
 
-variable "aft_execution_role_name" {
-  type = string
+variable "not_sensitive" {
+  type = object({
+    account_customizations_repo_branch                          = string
+    account_customizations_repo_name                            = string
+    account_factory_product_name                                = string
+    account_provisioning_customizations_repo_branch             = string
+    account_provisioning_customizations_repo_name               = string
+    account_request_repo_branch                                 = string
+    account_request_repo_name                                   = string
+    aft_account_provisioning_framework_sfn_name                 = string
+    aft_administrator_role_name                                 = string
+    aft_config_backend_bucket_id                                = string
+    aft_config_backend_kms_key_id                               = string
+    aft_config_backend_primary_region                           = string
+    aft_config_backend_secondary_region                         = string
+    aft_config_backend_table_id                                 = string
+    aft_controltower_events_table_name                          = string
+    aft_customizations_execute_pipeline_function_arn            = string
+    aft_customizations_get_pipeline_executions_function_arn     = string
+    aft_customizations_identify_targets_function_arn            = string
+    aft_execution_role_name                                     = string
+    aft_failure_sns_topic_arn                                   = string
+    aft_feature_cloudtrail_data_events                          = string
+    aft_feature_delete_default_vpcs_enabled                     = string
+    aft_feature_enterprise_support                              = string
+    aft_framework_repo_git_ref                                  = string
+    aft_framework_repo_url                                      = string
+    aft_invoke_aft_account_provisioning_framework_function_name = string
+    aft_log_key_arn                                             = string
+    aft_logging_bucket_arn                                      = string
+    aft_management_account_id                                   = string
+    aft_request_audit_table_name                                = string
+    aft_request_metadata_table_name                             = string
+    aft_request_queue_name                                      = string
+    aft_request_table_name                                      = string
+    aft_session_name                                            = string
+    aft_sns_topic_arn                                           = string
+    aft_version                                                 = string
+    codestar_connection_arn                                     = string
+    control_tower_event_logger_function_arn                     = string
+    create_role_function_arn                                    = string
+    ct_audit_account_id                                         = string
+    ct_log_archive_account_id                                   = string
+    ct_management_account_id                                    = string
+    ct_primary_region                                           = string
+    get_account_info_function_arn                               = string
+    github_enterprise_url                                       = string
+    global_customizations_repo_branch                           = string
+    global_customizations_repo_name                             = string
+    invoke_aft_account_provisioning_framework_function_arn      = string
+    maximum_concurrent_customizations                           = string
+    persist_metadata_function_arn                               = string
+    request_action_trigger_function_arn                         = string
+    request_audit_trigger_function_arn                          = string
+    request_processor_function_arn                              = string
+    tag_account_function_arn                                    = string
+    terraform_api_endpoint                                      = string
+    terraform_org_name                                          = string
+    terraform_version                                           = string
+    tf_distribution                                             = string
+    tf_version                                                  = string
+    validate_request_function_arn                               = string
+    vcs_provider                                                = string
+  })
 }
 
-variable "aft_administrator_role_name" {
-  type = string
-}
 
-variable "aft_session_name" {
-  type = string
-}
+variable "sensitive" {
+  type = object({
+    terraform_token = string
+  })
 
-variable "aft_config_backend_bucket_id" {
-  type = string
 }
 
-variable "aft_config_backend_primary_region" {
-  type = string
-}
 
-variable "aft_config_backend_secondary_region" {
-  type = string
-}
 
-variable "aft_config_backend_kms_key_id" {
-  type = string
-}
 
-variable "aft_config_backend_table_id" {
-  type = string
-}
 
-variable "aft_framework_repo_url" {
-  type = string
-}
 
-variable "aft_framework_repo_git_ref" {
-  type = string
-}
 
-variable "terraform_version" {
-  type = string
-}
 
-variable "aft_feature_cloudtrail_data_events" {
-  type = string
-}
 
-variable "aft_feature_enterprise_support" {
-  type = string
-}
 
-variable "aft_feature_delete_default_vpcs_enabled" {
-  type = string
-}
 
-variable "global_customizations_repo_name" {
-  type = string
-}
 
-variable "global_customizations_repo_branch" {
-  type = string
-}
-
-variable "account_customizations_repo_name" {
-  type = string
-}
-
-variable "account_customizations_repo_branch" {
-  type = string
-}
-
-variable "codestar_connection_arn" {
-  type = string
-}
 
-variable "github_enterprise_url" {
-  type = string
-}
 
-variable "aft_logging_bucket_arn" {
-  type = string
-}
 
-variable "aft_log_key_arn" {
-  type = string
-}
 
-variable "maximum_concurrent_customizations" {
-  type = number
-}
 
-variable "aft_version" {
-  type = string
-}