diff --git a/ami_shared.tf b/ami_shared.tf
new file mode 100644
index 0000000..75762a5
--- /dev/null
+++ b/ami_shared.tf
@@ -0,0 +1,35 @@
+
+#---
+# setup policy for cloudforms to access kms in remote ami
+#---
+# "AliasName": "alias/k-kms-csvd-img-shared-key",
+# these are not pulled with data as they require a diff account/profile to do so
+# move this out into some settings file
+locals {
+  ami_kms_keys = [
+    "arn:aws-us-gov:kms:us-gov-west-1:107742151971:key/6b0f5037-a500-41f8-b13b-c57f0de9332f",
+    "arn:aws-us-gov:kms:us-gov-east-1:107742151971:key/7928e94e-b28e-4863-99aa-ef0ce193c634"
+  ]
+}
+
+data "aws_iam_policy_document" "ami" {
+  # for access to remote AMI key
+  statement {
+    sid       = "AWSCloudformsAMIKeyAccess"
+    effect    = "Allow"
+    resources = local.ami_kms_keys
+    actions = [
+      "kms:DescribeKey",
+      "kms:ReEncrypt*",
+      "kms:CreateGrant",
+      "kms:Decrypt",
+    ]
+  }
+}
+
+resource "aws_iam_policy" "ami" {
+  name        = "build-user-shared-ami"
+  path        = "/"
+  description = "Policy for Access shared AMIs in Image Pipeline"
+  policy      = data.aws_iam_policy_document.ami.json
+}
\ No newline at end of file
diff --git a/main.tf b/main.tf
index c8c28f1..7d336e4 100644
--- a/main.tf
+++ b/main.tf
@@ -102,3 +102,5 @@ resource "aws_vpc_security_group_ingress_rule" "allow_all_between_self" {
   ip_protocol                  = "-1"
   referenced_security_group_id = aws_security_group.allow_amznlinux_cdn.id
 }
+
+
diff --git a/morpheus.tf b/morpheus.tf
index c406505..2545311 100644
--- a/morpheus.tf
+++ b/morpheus.tf
@@ -43,3 +43,12 @@ module "morpheus" {
     instance_type = "m5.xlarge" # x86_64 compatible instance type
   }
 }
+
+
+
+resource "aws_iam_user_policy" "morpheus_build_user" {
+  // Attach a policy to the build user
+  name   = "morpheus-build-user"
+  user   = module.morpheus.user.name
+  policy = data.aws_iam_policy_document.ami.json
+}
\ No newline at end of file