diff --git a/terraform/main.tf b/terraform/main.tf
index 12450b9..664df21 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -17,11 +17,51 @@ module "serverless-user" {
           {
             "Effect" : "Allow",
             "Action" : [
-              "dynamodb:DescribeTable"
+              "dynamodb:DescribeGlobalTableSettings",
+              "dynamodb:DescribeGlobalTable"
             ],
-            "Resource" : [
-              "arn:aws:dynamodb:*:*:table/mfa-api_*"
-            ]
+            "Resource" : "arn:aws:dynamodb:*:*:global-table/mfa-api_*"
+          },
+          {
+            "Effect" : "Allow",
+            "Action" : [
+              "dynamodb:BatchWriteItem",
+              "dynamodb:CreateTable",
+              "dynamodb:CreateTableReplica",
+              "dynamodb:DeleteItem",
+              "dynamodb:DescribeContinuousBackups",
+              "dynamodb:DescribeContributorInsights",
+              "dynamodb:DescribeKinesisStreamingDestination",
+              "dynamodb:DescribeTable",
+              "dynamodb:DescribeTimeToLive",
+              "dynamodb:GetItem",
+              "dynamodb:ListTagsOfResource",
+              "dynamodb:PutItem",
+              "dynamodb:Query",
+              "dynamodb:Scan",
+              "dynamodb:TagResource",
+              "dynamodb:UntagResource",
+              "dynamodb:UpdateItem",
+              "dynamodb:UpdateTable"
+            ],
+            "Resource" : "arn:aws:dynamodb:*:*:table/mfa-api_*"
+          },
+          {
+            "Effect" : "Allow",
+            "Action" : [
+              "dynamodb:Scan",
+              "dynamodb:Query"
+            ],
+            "Resource" : "arn:aws:dynamodb:*:*:table/mfa-api_*/index/*"
+          },
+          {
+            "Effect" : "Allow",
+            "Action" : [
+              "iam:CreateServiceLinkedRole",
+              "iam:TagRole",
+              "iam:UntagRole"
+            ],
+            "Resource" : "arn:aws:iam::*:role/*"
           }
         ]
       }