diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..520523b
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,6 @@
+*.zip
+
+.terraform*
+.terraform
+
+terraform.tfstate*
\ No newline at end of file
diff --git a/GNUmakefile b/GNUmakefile
index 0078f1c..bab1be2 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -18,3 +18,7 @@ ci: ## *CI ONLY* Runs tests on CI pipeline
 .PHONY: release
 release: ci ## *CI ONLY* Prepares a release of the Terraform module
 	scripts/release.sh prepare
+
+.PHONY: terraform-docs
+terraform-docs:
+	scripts/terraform-docs.sh
diff --git a/README.md b/README.md
index 891ed20..bdea407 100644
--- a/README.md
+++ b/README.md
@@ -21,6 +21,7 @@ Terraform module for configuring an integration with Lacework and AWS for cloud
 
 | Name | Version |
 |------|---------|
+| <a name="provider_archive"></a> [archive](#provider\_archive) | n/a |
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.35.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.1 |
 
@@ -39,6 +40,7 @@ No modules.
 | [aws_kms_key.lacework_kms_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_lambda_function.lacework_copy_zip_files](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
 | [aws_lambda_function.lacework_setup_function](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_lambda_invocation.lacework_copy_zip_files](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_invocation) | resource |
 | [aws_lambda_permission.lacework_lambda_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_s3_bucket.lacework_org_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_ownership_controls.lacework_org_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
@@ -49,10 +51,13 @@ No modules.
 | [aws_sns_topic.lacework_sns_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
 | [aws_sns_topic_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
 | [aws_sns_topic_subscription.lacework_sns_subscription](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
-| [random_id.uniq](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [random_string.uniq](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
+| [archive_file.lambda_zip_file](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.kms_key_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.lacework_copy_zip_files_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.lacework_copy_zip_files_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.lacework_setup_function_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.lacework_setup_function_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.sns_topic_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
diff --git a/examples/default/README.md b/examples/default/README.md
index 74dc015..4f6ea50 100644
--- a/examples/default/README.md
+++ b/examples/default/README.md
@@ -15,7 +15,9 @@ terraform {
 
 provider "lacework" {}
 
-provider "aws" {}
+provider "aws" {
+  region = "us-west-2"
+}
 
 module "aws_org_configuration" {
     source = "../../"
diff --git a/examples/default/main.tf b/examples/default/main.tf
index 92fb42f..ed4b542 100644
--- a/examples/default/main.tf
+++ b/examples/default/main.tf
@@ -1,6 +1,8 @@
 provider "lacework" {}
 
-provider "aws" {}
+provider "aws" {
+    region = "us-west-2"
+}
 
 module "aws_org_configuration" {
     source = "../../"
diff --git a/lambda.zip b/lambda.zip
deleted file mode 100644
index 61272d8..0000000
Binary files a/lambda.zip and /dev/null differ
diff --git a/main.tf b/main.tf
index ede7051..2fd66d1 100644
--- a/main.tf
+++ b/main.tf
@@ -1,21 +1,24 @@
 locals {
-    account_id  = data.aws_caller_identity.current.account_id
-    external_id = "lweid:aws:v2:${var.lacework_account}:${local.account_id}:${random_id.uniq.id}"
-    kms_key_arn = (length(var.kms_key_arn) > 0 ? var.kms_key_arn : aws_kms_key.lacework_kms_key[0].arn)
-    stack_name  = "lacework-aws-org-configuration"
+    account_id      = data.aws_caller_identity.current.account_id
+    external_id     = "lweid:aws:v2:${local.lacework_tenant}:${local.account_id}:${random_string.uniq.id}"
+    lacework_tenant = length(var.lacework_sub_account) > 0 ? var.lacework_sub_account : var.lacework_account
+    kms_key_arn     = length(var.kms_key_arn) > 0 ? var.kms_key_arn : aws_kms_key.lacework_kms_key[0].arn
+    stack_name      = "lacework-aws-org-configuration"
 }
 
 data "aws_caller_identity" "current" {}
 
-resource "random_id" "uniq" {
-  byte_length = 10
+resource "random_string" "uniq" {
+  length  = 10
+  special = false
 }
 
 #tfsec:ignore:aws-s3-enable-bucket-encryption
 #tfsec:ignore:aws-s3-enable-bucket-logging
 #tfsec:ignore:aws-s3-encryption-customer-key
 resource "aws_s3_bucket" "lacework_org_lambda" {
-  bucket = "lacework_org_lambda"
+  bucket_prefix = "lacework-org-lambda-"
+  force_destroy = true
 }
 
 resource "aws_s3_bucket_versioning" "lacework_org_lambda" {
@@ -55,69 +58,80 @@ resource "aws_lambda_function" "lacework_copy_zip_files" {
   tracing_config {
     mode = "Active"
   }
+
+  environment {
+    variables = {
+      src_bucket = var.s3_bucket
+      dst_bucket = aws_s3_bucket.lacework_org_lambda.id
+      prefix     = var.s3_prefix
+      object     = "/lambda/LaceworkIntegrationSetup1.1.2.zip"
+    }
+  }
 }
 
 data "archive_file" "lambda_zip_file" {
+  excludes    = ["__init__.py", "*.pyc"]
   output_path = "${path.module}/lambda.zip"
   source_dir  = "${path.module}/python"
-  excludes    = ["__init__.py", "*.pyc"]
   type        = "zip"
 }
 
 resource "aws_iam_role" "lacework_copy_zip_files_role" {
-  assume_role_policy  = data.aws_iam_policy_document.lacework_setup_function_role.json
+  assume_role_policy = data.aws_iam_policy_document.lacework_copy_zip_files_assume_role.json
+
+  inline_policy {
+    name   = "zip-role"
+    policy = data.aws_iam_policy_document.lacework_copy_zip_files_role.json
+  }
+
   managed_policy_arns = ["arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]
   name                = "lacework_copy_zip_files_role"
   path                = "/"
 }
 
-data "aws_iam_policy_document" "lacework_copy_zip_files_role" {
+data "aws_iam_policy_document" "lacework_copy_zip_files_assume_role" {
   statement {
     actions = ["sts:AssumeRole"]
-    effect  = "Allow"
 
     principals {
       type        = "Service"
       identifiers = ["lambda.amazonaws.com"]
     }
   }
+}
 
+data "aws_iam_policy_document" "lacework_copy_zip_files_role" {
   statement {
     actions   = [
       "s3:GetObject",
       "s3:GetObjectTagging",
     ]
     effect    = "Allow"
-    resources = ["aws:${data.aws_partition.current.partition}:s3:::${var.s3_bucket}/${var.s3_prefix}*"]
+    resources = [
+      "arn:${data.aws_partition.current.partition}:s3:::${var.s3_bucket}/${var.s3_prefix}/*"
+    ]
   }
 
   statement {
     actions   = [
-      "s3:DeleteObject",
-      "s3:PutObject",
-      "s3:PutObjectTagging",
+      "s3:*",
     ]
     effect    = "Allow"
-    resources = [aws_s3_bucket.lacework_org_lambda.arn]
+    resources = [
+      aws_s3_bucket.lacework_org_lambda.arn,
+      "${aws_s3_bucket.lacework_org_lambda.arn}/*",
+    ]
   }
 
   version = "2012-10-17"
 }
 
-data "aws_lambda_invocation" "lacework_copy_zip_files" {
-  function_name = aws_lambda_function.lacework_copy_zip_files.id
-
-  input = <<JSON
-{
-  "RequestType": "Copy",
-  "ResourceProperties": {
-    "SourceBucket": ${var.s3_bucket},
-    "DestBucket": aws_s3_bucket.lacework_org_lambda.id,
-    "Prefix": ${var.s3_prefix},
-    "Objects": ["/lambda/LaceworkIntegrationSetup1.1.2.zip"]
-  }
-}
-JSON
+resource "aws_lambda_invocation" "lacework_copy_zip_files" {
+  function_name = aws_lambda_function.lacework_copy_zip_files.arn
+
+  input = jsonencode({})
+
+  depends_on = [ aws_lambda_function.lacework_copy_zip_files ]
 }
 
 resource "aws_lambda_function" "lacework_setup_function" {
@@ -133,17 +147,29 @@ resource "aws_lambda_function" "lacework_setup_function" {
   handler       = "lw_integration_lambda_function.handler"
   role          = aws_iam_role.lacework_setup_function_role.arn
   runtime       = "python3.11"
-  s3_bucket     = aws_s3_bucket.lacework_org_lambda.arn
+  s3_bucket     = aws_s3_bucket.lacework_org_lambda.bucket
   s3_key        = "${var.s3_prefix}/lambda/LaceworkIntegrationSetup1.1.2.zip"
   timeout       = 900
 
   tracing_config {
     mode = "Active"
   }
+
+  depends_on = [
+    aws_lambda_invocation.lacework_copy_zip_files,
+    aws_sns_topic.lacework_sns_topic,
+    aws_secretsmanager_secret.lacework_api_credentials
+  ]
 }
 
 resource "aws_iam_role" "lacework_setup_function_role" {
-  assume_role_policy  = data.aws_iam_policy_document.lacework_setup_function_role.json
+  assume_role_policy = data.aws_iam_policy_document.lacework_setup_function_assume_role.json
+
+  inline_policy {
+    name   = "lacework_setup_function_policy"
+    policy = data.aws_iam_policy_document.lacework_setup_function_role.json
+  }
+
   managed_policy_arns = ["arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]
   name                = "lacework_setup_function_role"
   path                = "/"
@@ -151,7 +177,7 @@ resource "aws_iam_role" "lacework_setup_function_role" {
 
 data "aws_partition" "current" {}
 
-data "aws_iam_policy_document" "lacework_setup_function_role" {
+data "aws_iam_policy_document" "lacework_setup_function_assume_role" {
   statement {
     actions = ["sts:AssumeRole"]
     effect  = "Allow"
@@ -161,14 +187,21 @@ data "aws_iam_policy_document" "lacework_setup_function_role" {
       identifiers = ["lambda.amazonaws.com"]
     }
   }
+}
 
+data "aws_iam_policy_document" "lacework_setup_function_role" {
   statement {
     actions   = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
       "secretsmanager:GetSecretValue",
       "secretsmanager:UpdateSecret"
     ]
     effect    = "Allow"
-    resources = [aws_secretsmanager_secret.lacework_api_credentials.arn]
+    resources = [
+      aws_secretsmanager_secret.lacework_api_credentials.arn,
+      local.kms_key_arn,
+    ]
   }
 
   version = "2012-10-17"
@@ -177,14 +210,15 @@ data "aws_iam_policy_document" "lacework_setup_function_role" {
 resource "aws_lambda_permission" "lacework_lambda_permission" {
   action        = "lambda:InvokeFunction"
   function_name = aws_lambda_function.lacework_setup_function.arn
-  principal     = "cloudformation.amazonaws.com"
+  principal     = "sns.amazonaws.com"
   source_arn    = aws_sns_topic.lacework_sns_topic.arn 
 }
 
 resource "aws_secretsmanager_secret" "lacework_api_credentials" {
-  description = "Lacework API Access Keys"
-  name        = "LaceworkApiCredentials"
-  kms_key_id  = local.kms_key_arn
+  description             = "Lacework API Access Keys"
+  kms_key_id              = local.kms_key_arn
+  name                    = "LaceworkApiCredentials"
+  recovery_window_in_days = 0
 }
 
 resource "aws_secretsmanager_secret_version" "lacework_api_credentials" {
@@ -225,7 +259,7 @@ data "aws_iam_policy_document" "kms_key_policy" {
 }
 
 resource "aws_sns_topic_policy" "default" {
-  arn    = ""
+  arn    = aws_sns_topic.lacework_sns_topic.arn
   policy = data.aws_iam_policy_document.sns_topic_policy.json
 }
 
@@ -267,7 +301,10 @@ resource "aws_cloudformation_stack" "lacework_stack" {
     MainAccountSNS     = aws_sns_topic.lacework_sns_topic.arn
     ResourceNamePrefix = var.resource_prefix
   }
-  template_url = "https://s3.amazonaws.com/${var.s3_bucket}/${var.s3_prefix}/templates/lacework-aws-cfg-member.template.yml" 
+  template_url       = "https://s3.amazonaws.com/${var.s3_bucket}/${var.s3_prefix}/templates/lacework-aws-cfg-member.template.yml" 
+  timeout_in_minutes = 30
+
+  depends_on = [ aws_lambda_function.lacework_setup_function ]
 }
 
 resource "aws_cloudformation_stack_set" "lacework_stackset" {
@@ -292,4 +329,6 @@ resource "aws_cloudformation_stack_set" "lacework_stackset" {
 
   permission_model = "SERVICE_MANAGED"
   template_url     = "https://s3.amazonaws.com/${var.s3_bucket}/${var.s3_prefix}/templates/lacework-aws-cfg-member.template.yml"
+
+  depends_on = [ aws_lambda_function.lacework_setup_function ]
 }
diff --git a/python/index.py b/python/index.py
index 0e707e8..d891a80 100644
--- a/python/index.py
+++ b/python/index.py
@@ -1,64 +1,47 @@
 import boto3
-import cfnresponse
 import json
 import logging
+import os
 import threading
 
 
-def copy_objects(source_bucket, dest_bucket, prefix, objects):
-    s3 = boto3.client('s3')
+def handler(event, context):
+    timer = threading.Timer((context.get_remaining_time_in_millis() / 1000.00) - 0.5, timeout, args=[event, context])
 
-    for o in objects:
-        key = prefix + o
-        copy_source = {
-            'Bucket': source_bucket,
-            'Key': key
-        }
+    timer.start()
 
-        print(f'copy_source: {copy_source}')
-        print(f'dest_bucket: {dest_bucket}')
-        print(f'key: {key}')
+    print('Received event: %s' % json.dumps(event))
 
-        s3.copy_object(CopySource=copy_source, Bucket=dest_bucket, Key=key)
+    try:
+        src_bucket = os.environ['src_bucket']
+        dst_bucket = os.environ['dst_bucket']
+        prefix = os.environ['prefix']
+        object = os.environ['object']
 
+        copy_object(src_bucket, dst_bucket, prefix, object)
 
-def delete_objects(bucket, prefix, objects):
-    s3 = boto3.client('s3')
-
-    objects = {'Objects': [{'Key': prefix + o} for o in objects]}
+    except Exception as e:
+        logging.error('Exception: %s' % e, exc_info=True)
 
-    s3.delete_objects(Bucket=bucket, Delete=objects)
+    finally:
+        timer.cancel()
 
 
 def timeout(event, context):
-    logging.error('Execution is about to time out, sending failure response to CloudFormation')
-    cfnresponse.send(event, context, cfnresponse.FAILED, {}, None)
+    logging.error('Execution is timeout')
 
 
-def handler(event, context):
-    # make sure we send a failure to CloudFormation if the function
-    # is going to timeout
-    timer = threading.Timer((context.get_remaining_time_in_millis()
-              / 1000.00) - 0.5, timeout, args=[event, context])
-    timer.start()
-    print('Received event: %s' % json.dumps(event))
-    status = cfnresponse.SUCCESS
-
-    try:
-        source_bucket = event['ResourceProperties']['SourceBucket']
-        dest_bucket = event['ResourceProperties']['DestBucket']
-        prefix = event['ResourceProperties']['Prefix']
-        objects = event['ResourceProperties']['Objects']
+def copy_object(src_bucket: str, dst_bucket: str, prefix: str, object: str):
+    s3 = boto3.client('s3')
 
-        if event['RequestType'] == 'Delete':
-            delete_objects(dest_bucket, prefix, objects)
-        else:
-            copy_objects(source_bucket, dest_bucket, prefix, objects)
+    key = prefix + object
+    copy_source = {
+        'Bucket': src_bucket,
+        'Key': key
+    }
 
-    except Exception as e:
-        logging.error('Exception: %s' % e, exc_info=True)
-        status = cfnresponse.FAILED
+    print(f'copy_source: {copy_source}')
+    print(f'dest_bucket: {dst_bucket}')
+    print(f'key: {key}')
 
-    finally:
-        timer.cancel()
-        cfnresponse.send(event, context, status, {}, None)
+    s3.copy_object(CopySource=copy_source, Bucket=dst_bucket, Key=key)
diff --git a/scripts/terraform-docs.sh b/scripts/terraform-docs.sh
index 96e4f65..5fd537d 100755
--- a/scripts/terraform-docs.sh
+++ b/scripts/terraform-docs.sh
@@ -10,4 +10,4 @@ else
     echo "## terraform-docs not found in PATH, neither was docker"
     echo "## please install terraform-docs or docker"
     exit 1
-fi
\ No newline at end of file
+fi
