diff --git a/cloudtrail/cloudtrail.tf b/cloudtrail/cloudtrail.tf
index c4bd9c3..1bd5748 100644
--- a/cloudtrail/cloudtrail.tf
+++ b/cloudtrail/cloudtrail.tf
@@ -21,13 +21,14 @@ resource "aws_cloudtrail" "this" {
 }
 
 resource "aws_iam_role" "cloudtrail" {
+  count                 = var.enable_cloudwatch_logs ? 1 : 0
   name                  = local.role_name
   assume_role_policy    = data.aws_iam_policy_document.cloudtrail_assume.json
   description           = "AWS CloudTrail Role for ${local.name}"
   force_detach_policies = false
   max_session_duration  = 3600
   # add deny billing
-  managed_policy_arns = [aws_iam_policy.cloudtrail_policy.arn]
+  managed_policy_arns = try([aws_iam_policy.cloudtrail_policy[0].arn], null)
   path                = "/"
 
   tags = merge(
@@ -50,6 +51,7 @@ data "aws_iam_policy_document" "cloudtrail_assume" {
 }
 
 resource "aws_iam_policy" "cloudtrail_policy" {
+  count  = var.enable_cloudwatch_logs ? 1 : 0
   name   = local.policy_name
   policy = data.aws_iam_policy_document.cloudtrail_cloudwatch.json
 }