diff --git a/default.auto.tfvars b/default.auto.tfvars
index f90b566..4770c59 100644
--- a/default.auto.tfvars
+++ b/default.auto.tfvars
@@ -33,3 +33,7 @@ desired_count = 1
 
 # Monitoring Configuration
 alert_email = "david.j.arnold.jr@census.gov"
+
+# Enable Lambda token refresh to prevent runner recovery deadlocks
+# Runs every 30 minutes to keep Secrets Manager token fresh (tokens expire in 1 hour)
+enable_lambda_token_refresh = true
diff --git a/lambda_token_refresh.tf b/lambda_token_refresh.tf
index a6ddcd8..ed1d4cb 100644
--- a/lambda_token_refresh.tf
+++ b/lambda_token_refresh.tf
@@ -168,6 +168,16 @@ resource "aws_iam_role_policy" "lambda_refresh_policy" {
           "logs:PutLogEvents"
         ]
         Resource = "arn:${data.aws_partition.current.partition}:logs:*:*:log-group:/aws/lambda/${local.lambda_function_name}:*"
+      },
+      {
+        # Required for Lambda functions deployed into a VPC
+        Effect = "Allow"
+        Action = [
+          "ec2:CreateNetworkInterface",
+          "ec2:DescribeNetworkInterfaces",
+          "ec2:DeleteNetworkInterface"
+        ]
+        Resource = "*"
       }
     ]
   })