diff --git a/examples/organizational/README.md b/examples/organizational/README.md
index 206d3871..62690ba7 100644
--- a/examples/organizational/README.md
+++ b/examples/organizational/README.md
@@ -90,7 +90,6 @@ Notice that:
 |------|--------|---------|
 | <a name="module_cloud_bench"></a> [cloud\_bench](#module\_cloud\_bench) | ../../modules/services/cloud-bench |  |
 | <a name="module_cloud_connector"></a> [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector |  |
-| <a name="module_cloud_scanning"></a> [cloud\_scanning](#module\_cloud\_scanning) | ../../modules/services/cloud-scanning |  |
 | <a name="module_cloudtrail"></a> [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail |  |
 | <a name="module_codebuild"></a> [codebuild](#module\_codebuild) | ../../modules/infrastructure/codebuild |  |
 | <a name="module_ecs_fargate_cluster"></a> [ecs\_fargate\_cluster](#module\_ecs\_fargate\_cluster) | ../../modules/infrastructure/ecs-fargate-cluster |  |
@@ -119,6 +118,7 @@ Notice that:
 | <a name="input_cloudtrail_s3_arn"></a> [cloudtrail\_s3\_arn](#input\_cloudtrail\_s3\_arn) | ARN of a pre-existing cloudtrail\_sns s3 bucket. If it does not exist, it will be inferred from create cloudtrail | `string` | `"create"` | no |
 | <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If it does not exist, it will be inferred from created cloudtrail | `string` | `"create"` | no |
 | <a name="input_connector_ecs_task_role_name"></a> [connector\_ecs\_task\_role\_name](#input\_connector\_ecs\_task\_role\_name) | Name for the ecs task role. This is only required to resolve cyclic dependency with organizational approach | `string` | `"organizational-ECSTaskRole"` | no |
+| <a name="input_deploy_bench"></a> [deploy\_bench](#input\_deploy\_bench) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_organizational_member_default_admin_role"></a> [organizational\_member\_default\_admin\_role](#input\_organizational\_member\_default\_admin\_role) | Default role created by AWS for managed-account users to be able to admin member accounts.<br/>https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html | `string` | `"OrganizationAccountAccessRole"` | no |
 | <a name="input_region"></a> [region](#input\_region) | Default region for resource creation in both organization master and secure-for-cloud member account | `string` | `"eu-central-1"` | no |
diff --git a/examples/organizational/main.tf b/examples/organizational/main.tf
index 4aacfe7b..655c3317 100644
--- a/examples/organizational/main.tf
+++ b/examples/organizational/main.tf
@@ -53,36 +53,6 @@ module "ssm" {
 #
 # cloud-connector
 #
-module "cloud_connector" {
-  providers = {
-    aws = aws.member
-  }
-  source = "../../modules/services/cloud-connector"
-  name   = "${var.name}-cloudconnector"
-
-  sysdig_secure_endpoint       = var.sysdig_secure_endpoint
-  secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
-
-  is_organizational = true
-  organizational_config = {
-    sysdig_secure_for_cloud_role_arn = module.secure_for_cloud_role.sysdig_secure_for_cloud_role_arn
-    connector_ecs_task_role_name     = aws_iam_role.connector_ecs_task.name
-  }
-
-  sns_topic_arn = local.cloudtrail_sns_arn
-
-  ecs_cluster = module.ecs_fargate_cluster.id
-  vpc_id      = module.ecs_fargate_cluster.vpc_id
-  vpc_subnets = module.ecs_fargate_cluster.vpc_subnets
-
-  tags       = var.tags
-  depends_on = [local.cloudtrail_sns_arn, module.ecs_fargate_cluster, module.ssm]
-}
-
-#
-# cloud-scanning
-#
-## FIXME? if this is a non-shared resource, move its usage to scanning service?
 module "codebuild" {
   providers = {
     aws = aws.member
@@ -93,13 +63,12 @@ module "codebuild" {
   depends_on                   = [module.ssm]
 }
 
-module "cloud_scanning" {
+module "cloud_connector" {
   providers = {
     aws = aws.member
   }
-
-  source = "../../modules/services/cloud-scanning"
-  name   = "${var.name}-cloudscanning"
+  source = "../../modules/services/cloud-connector"
+  name   = "${var.name}-cloudconnector"
 
   sysdig_secure_endpoint       = var.sysdig_secure_endpoint
   secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
@@ -111,7 +80,7 @@ module "cloud_scanning" {
   organizational_config = {
     sysdig_secure_for_cloud_role_arn = module.secure_for_cloud_role.sysdig_secure_for_cloud_role_arn
     organizational_role_per_account  = var.organizational_member_default_admin_role
-    scanning_ecs_task_role_name      = aws_iam_role.connector_ecs_task.name
+    connector_ecs_task_role_name     = aws_iam_role.connector_ecs_task.name
   }
 
   sns_topic_arn = local.cloudtrail_sns_arn
@@ -121,7 +90,7 @@ module "cloud_scanning" {
   vpc_subnets = module.ecs_fargate_cluster.vpc_subnets
 
   tags       = var.tags
-  depends_on = [local.cloudtrail_sns_arn, module.ecs_fargate_cluster, module.codebuild, module.ssm]
+  depends_on = [local.cloudtrail_sns_arn, module.ecs_fargate_cluster, module.ssm]
 }
 
 #-------------------------------------
@@ -130,6 +99,7 @@ module "cloud_scanning" {
 
 module "cloud_bench" {
   source = "../../modules/services/cloud-bench"
+  count  = var.deploy_bench ? 1 : 0
 
   name              = "${var.name}-cloudbench"
   tags              = var.tags
diff --git a/examples/organizational/variables.tf b/examples/organizational/variables.tf
index b3def878..e3541d14 100644
--- a/examples/organizational/variables.tf
+++ b/examples/organizational/variables.tf
@@ -68,6 +68,13 @@ variable "benchmark_regions" {
   default     = []
 }
 
+variable "deploy_bench" {
+  type        = bool
+  description = "Whether to deploy or not the cloud benchmarking"
+  default     = true
+}
+
+
 #
 # general
 #
diff --git a/examples/single-account-k8s/README.md b/examples/single-account-k8s/README.md
index 8ce52604..c82a39bb 100644
--- a/examples/single-account-k8s/README.md
+++ b/examples/single-account-k8s/README.md
@@ -82,7 +82,6 @@ Notice that:
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cloud_connector_sqs"></a> [cloud\_connector\_sqs](#module\_cloud\_connector\_sqs) | ../../modules/infrastructure/sqs-sns-subscription |  |
-| <a name="module_cloud_scanning_sqs"></a> [cloud\_scanning\_sqs](#module\_cloud\_scanning\_sqs) | ../../modules/infrastructure/sqs-sns-subscription |  |
 | <a name="module_cloudtrail"></a> [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail |  |
 | <a name="module_codebuild"></a> [codebuild](#module\_codebuild) | ../../modules/infrastructure/codebuild |  |
 | <a name="module_iam_user"></a> [iam\_user](#module\_iam\_user) | ../../modules/infrastructure/permissions/iam-user |  |
@@ -94,7 +93,6 @@ Notice that:
 | Name | Type |
 |------|------|
 | [helm_release.cloud_connector](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
-| [helm_release.cloud_scanning](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
diff --git a/examples/single-account-k8s/cloud-connector.tf b/examples/single-account-k8s/cloud-connector.tf
index 6b73abcb..01b261b1 100644
--- a/examples/single-account-k8s/cloud-connector.tf
+++ b/examples/single-account-k8s/cloud-connector.tf
@@ -10,6 +10,16 @@ module "cloud_connector_sqs" {
   tags          = var.tags
 }
 
+module "codebuild" {
+  count  = var.deploy_image_scanning ? 1 : 0
+  source = "../../modules/infrastructure/codebuild"
+
+  secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
+
+  tags = var.tags
+  # note. this is required to avoid race conditions
+  depends_on = [module.ssm]
+}
 
 #-------------------------------------
 # cloud_connector
@@ -50,12 +60,28 @@ resource "helm_release" "cloud_connector" {
   }
 
   values = [
-    <<CONFIG
-ingestors:
-  - cloudtrail-sns-sqs:
-      queueURL: ${module.cloud_connector_sqs[0].cloudtrail_sns_subscribed_sqs_url}
-CONFIG
-  ]
+    yamlencode({
+      ingestors = [
+        {
+          cloudtrail-sns-sqs = {
+            queueURL = module.cloud_connector_sqs[0].cloudtrail_sns_subscribed_sqs_url
+          }
+        }
+      ]
+      scanners = var.deploy_image_scanning ? [
+        {
+          aws-ecr = {
+            codeBuildProject         = module.codebuild[0].project_name
+            secureAPITokenSecretName = module.ssm.secure_api_token_secret_name
+          }
 
+          aws-ecs = {
+            codeBuildProject         = module.codebuild[0].project_name
+            secureAPITokenSecretName = module.ssm.secure_api_token_secret_name
+          }
+        }
+      ] : []
+    })
+  ]
   depends_on = [module.iam_user]
 }
diff --git a/examples/single-account-k8s/cloud-scanning.tf b/examples/single-account-k8s/cloud-scanning.tf
deleted file mode 100644
index 1028d9e5..00000000
--- a/examples/single-account-k8s/cloud-scanning.tf
+++ /dev/null
@@ -1,79 +0,0 @@
-#-------------------------------------
-# requirements
-#-------------------------------------
-module "cloud_scanning_sqs" {
-  count  = var.deploy_image_scanning ? 1 : 0
-  source = "../../modules/infrastructure/sqs-sns-subscription"
-
-  name          = "${var.name}-cloud_scanning"
-  sns_topic_arn = local.cloudtrail_sns_arn
-  tags          = var.tags
-}
-
-
-module "codebuild" {
-  count  = var.deploy_image_scanning ? 1 : 0
-  source = "../../modules/infrastructure/codebuild"
-
-  secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
-
-  tags = var.tags
-  # note. this is required to avoid race conditions
-  depends_on = [module.ssm]
-}
-
-#-------------------------------------
-# cloud_scanning
-#-------------------------------------
-resource "helm_release" "cloud_scanning" {
-  count = var.deploy_image_scanning ? 1 : 0
-  name  = "cloud-scanning"
-
-  repository = "https://charts.sysdig.com"
-  chart      = "cloud-scanning"
-
-  create_namespace = true
-  namespace        = var.name
-
-  set_sensitive {
-    name  = "aws.accessKeyId"
-    value = module.iam_user.sfc_user_access_key_id
-  }
-
-  set_sensitive {
-    name  = "aws.secretAccessKey"
-    value = module.iam_user.sfc_user_secret_access_key
-  }
-
-  set_sensitive {
-    name  = "sysdig.secureAPIToken"
-    value = var.sysdig_secure_api_token
-  }
-
-  set {
-    name  = "secureAPITokenSecret"
-    value = module.ssm.secure_api_token_secret_name
-  }
-
-  set {
-    name  = "aws.region"
-    value = data.aws_region.current.name
-  }
-
-  set {
-    name  = "sysdig.url"
-    value = var.sysdig_secure_endpoint
-  }
-
-  set {
-    name  = "sqsQueueUrl"
-    value = module.cloud_scanning_sqs[0].cloudtrail_sns_subscribed_sqs_url
-  }
-
-  set {
-    name  = "codeBuildProject"
-    value = module.codebuild[0].project_name
-  }
-
-  depends_on = [module.iam_user]
-}
diff --git a/examples/single-account/README.md b/examples/single-account/README.md
index 1cafeefd..6ff249bd 100644
--- a/examples/single-account/README.md
+++ b/examples/single-account/README.md
@@ -63,7 +63,6 @@ No providers.
 |------|--------|---------|
 | <a name="module_cloud_bench"></a> [cloud\_bench](#module\_cloud\_bench) | ../../modules/services/cloud-bench |  |
 | <a name="module_cloud_connector"></a> [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector |  |
-| <a name="module_cloud_scanning"></a> [cloud\_scanning](#module\_cloud\_scanning) | ../../modules/services/cloud-scanning |  |
 | <a name="module_cloudtrail"></a> [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail |  |
 | <a name="module_codebuild"></a> [codebuild](#module\_codebuild) | ../../modules/infrastructure/codebuild |  |
 | <a name="module_ecs_fargate_cluster"></a> [ecs\_fargate\_cluster](#module\_ecs\_fargate\_cluster) | ../../modules/infrastructure/ecs-fargate-cluster |  |
@@ -83,6 +82,7 @@ No resources.
 | <a name="input_cloudtrail_is_multi_region_trail"></a> [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events | `bool` | `true` | no |
 | <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether cloudtrail delivered events to S3 should persist encrypted | `bool` | `true` | no |
 | <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If it does not exist, it will be inferred from created cloudtrail | `string` | `"create"` | no |
+| <a name="input_deploy_bench"></a> [deploy\_bench](#input\_deploy\_bench) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_sysdig_secure_endpoint"></a> [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig Secure API endpoint | `string` | `"https://secure.sysdig.com"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
diff --git a/examples/single-account/main.tf b/examples/single-account/main.tf
index 40845096..f613a46a 100644
--- a/examples/single-account/main.tf
+++ b/examples/single-account/main.tf
@@ -1,56 +1,27 @@
 #-------------------------------------
 # general resources
 #-------------------------------------
-
 module "resource_group" {
   source = "../../modules/infrastructure/resource-group"
   name   = var.name
   tags   = var.tags
 }
 
-
 module "ecs_fargate_cluster" {
   source = "../../modules/infrastructure/ecs-fargate-cluster"
   name   = var.name
   tags   = var.tags
 }
 
-
 module "ssm" {
   source                  = "../../modules/infrastructure/ssm"
   name                    = var.name
   sysdig_secure_api_token = var.sysdig_secure_api_token
 }
 
-
 #-------------------------------------
 # cloud-connector
 #-------------------------------------
-
-module "cloud_connector" {
-  source = "../../modules/services/cloud-connector"
-  name   = "${var.name}-cloudconnector"
-
-  sysdig_secure_endpoint       = var.sysdig_secure_endpoint
-  secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
-  is_organizational            = false
-
-  sns_topic_arn = local.cloudtrail_sns_arn
-
-  ecs_cluster = module.ecs_fargate_cluster.id
-  vpc_id      = module.ecs_fargate_cluster.vpc_id
-  vpc_subnets = module.ecs_fargate_cluster.vpc_subnets
-
-  tags       = var.tags
-  depends_on = [local.cloudtrail_sns_arn, module.ecs_fargate_cluster, module.ssm]
-}
-
-
-
-#-------------------------------------
-# cloud-scanning
-#-------------------------------------
-
 module "codebuild" {
   source                       = "../../modules/infrastructure/codebuild"
   name                         = "${var.name}-codebuild"
@@ -61,13 +32,13 @@ module "codebuild" {
   depends_on = [module.ssm]
 }
 
-
-module "cloud_scanning" {
-  source = "../../modules/services/cloud-scanning"
-  name   = "${var.name}-cloudscanning"
+module "cloud_connector" {
+  source = "../../modules/services/cloud-connector"
+  name   = "${var.name}-cloudconnector"
 
   sysdig_secure_endpoint       = var.sysdig_secure_endpoint
   secure_api_token_secret_name = module.ssm.secure_api_token_secret_name
+  is_organizational            = false
 
   build_project_arn  = module.codebuild.project_arn
   build_project_name = module.codebuild.project_name
@@ -78,9 +49,9 @@ module "cloud_scanning" {
   vpc_id      = module.ecs_fargate_cluster.vpc_id
   vpc_subnets = module.ecs_fargate_cluster.vpc_subnets
 
-  tags = var.tags
-  # note. this is required to avoid race conditions
-  depends_on = [local.cloudtrail_sns_arn, module.ecs_fargate_cluster, module.codebuild, module.ssm]
+  tags       = var.tags
+  depends_on = [local.cloudtrail_sns_arn, module.ecs_fargate_cluster, module.ssm]
+
 }
 
 #-------------------------------------
@@ -94,6 +65,7 @@ provider "sysdig" {
 
 module "cloud_bench" {
   source = "../../modules/services/cloud-bench"
+  count  = var.deploy_bench ? 1 : 0
 
   name              = "${var.name}-cloudbench"
   tags              = var.tags
diff --git a/examples/single-account/variables.tf b/examples/single-account/variables.tf
index 91ee19d2..d24acdb3 100644
--- a/examples/single-account/variables.tf
+++ b/examples/single-account/variables.tf
@@ -40,6 +40,12 @@ variable "benchmark_regions" {
   default     = []
 }
 
+variable "deploy_bench" {
+  type        = bool
+  description = "Whether to deploy or not the cloud benchmarking"
+  default     = true
+}
+
 #
 # general
 #
diff --git a/modules/infrastructure/codebuild/main.tf b/modules/infrastructure/codebuild/main.tf
index 0602710e..ffb1191e 100644
--- a/modules/infrastructure/codebuild/main.tf
+++ b/modules/infrastructure/codebuild/main.tf
@@ -22,15 +22,15 @@ resource "aws_codebuild_project" "build_project" {
   }
 
   source {
-    type      = "NO_SOURCE"
-    buildspec = <<CONFIG
-version: 0.2
-
-phases:
-  build:
-    commands:
-      - exit
-CONFIG
+    type = "NO_SOURCE"
+    buildspec = yamlencode({
+      version = "0.2"
+      phases = {
+        build = {
+          commands = ["exit"]
+        }
+      }
+    })
   }
 
   tags = var.tags
diff --git a/modules/services/cloud-connector/README.md b/modules/services/cloud-connector/README.md
index c8b8a3cb..2257aeb7 100644
--- a/modules/services/cloud-connector/README.md
+++ b/modules/services/cloud-connector/README.md
@@ -32,20 +32,28 @@ A task deployed on an **ECS deployment** will detect events in your infrastructu
 | [aws_ecs_task_definition.task_definition](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) | resource |
 | [aws_iam_role.execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.ecr_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.secrets_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.task_definition_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.task_read_parameters](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.trigger_scan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_s3_bucket.s3_config_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_object.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_object) | resource |
 | [aws_s3_bucket_public_access_block.s3_config_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_security_group.sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_caller_identity.me](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_ecs_cluster.ecs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecs_cluster) | data source |
+| [aws_iam_policy_document.ecr_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.execution_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.iam_role_task_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.secrets_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.task_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.task_definition_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.task_read_parameters](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.trigger_scan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_role.task_inherited](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 | [aws_ssm_parameter.sysdig_secure_api_token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
@@ -54,6 +62,8 @@ A task deployed on an **ECS deployment** will detect events in your infrastructu
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_build_project_arn"></a> [build\_project\_arn](#input\_build\_project\_arn) | Code Build project arn | `string` | n/a | yes |
+| <a name="input_build_project_name"></a> [build\_project\_name](#input\_build\_project\_name) | Code Build project name | `string` | n/a | yes |
 | <a name="input_ecs_cluster"></a> [ecs\_cluster](#input\_ecs\_cluster) | ECS Fargate Cluster where deploy the CloudConnector workload | `string` | n/a | yes |
 | <a name="input_secure_api_token_secret_name"></a> [secure\_api\_token\_secret\_name](#input\_secure\_api\_token\_secret\_name) | Sysdig Secure API token SSM parameter name | `string` | n/a | yes |
 | <a name="input_sns_topic_arn"></a> [sns\_topic\_arn](#input\_sns\_topic\_arn) | CloudTrail module created SNS Topic ARN | `string` | n/a | yes |
@@ -65,7 +75,7 @@ A task deployed on an **ECS deployment** will detect events in your infrastructu
 | <a name="input_image"></a> [image](#input\_image) | Image of the cloud connector to deploy | `string` | `"quay.io/sysdig/cloud-connector:latest"` | no |
 | <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | whether secure-for-cloud should be deployed in an organizational setup | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc-cloudconnector"` | no |
-| <a name="input_organizational_config"></a> [organizational\_config](#input\_organizational\_config) | organizational\_config. following attributes must be given<br><ul><li>`sysdig_secure_for_cloud_role_arn` for cloud-connector assumeRole in order to read cloudtrail s3 events</li><li>and the `connector_ecs_task_role_name` which has been granted trusted-relationship over the secure\_for\_cloud\_role</li></ul> | <pre>object({<br>    sysdig_secure_for_cloud_role_arn = string<br>    connector_ecs_task_role_name     = string<br>  })</pre> | <pre>{<br>  "connector_ecs_task_role_name": null,<br>  "sysdig_secure_for_cloud_role_arn": null<br>}</pre> | no |
+| <a name="input_organizational_config"></a> [organizational\_config](#input\_organizational\_config) | organizational\_config. following attributes must be given<br><ul><br>  <li>`sysdig_secure_for_cloud_role_arn` for cloud-connector assumeRole in order to read cloudtrail s3 events</li><br>  <li>`connector_ecs_task_role_name` which has been granted trusted-relationship over the secure\_for\_cloud\_role</li><br>  <li>`organizational_role_per_account` is the name of the organizational role deployed by AWS in each account of the organization</li><br></ul> | <pre>object({<br>    sysdig_secure_for_cloud_role_arn = string<br>    organizational_role_per_account  = string<br>    connector_ecs_task_role_name     = string<br>  })</pre> | <pre>{<br>  "connector_ecs_task_role_name": null,<br>  "organizational_role_per_account": null,<br>  "sysdig_secure_for_cloud_role_arn": null<br>}</pre> | no |
 | <a name="input_sysdig_secure_endpoint"></a> [sysdig\_secure\_endpoint](#input\_sysdig\_secure\_endpoint) | Sysdig Secure API endpoint | `string` | `"https://secure.sysdig.com"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | sysdig secure-for-cloud tags | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
 | <a name="input_verify_ssl"></a> [verify\_ssl](#input\_verify\_ssl) | true/false to determine ssl verification for sysdig\_secure\_endpoint | `bool` | `true` | no |
diff --git a/modules/services/cloud-connector/ecs-service-security.tf b/modules/services/cloud-connector/ecs-service-security.tf
index 5be4fe6f..37c82381 100644
--- a/modules/services/cloud-connector/ecs-service-security.tf
+++ b/modules/services/cloud-connector/ecs-service-security.tf
@@ -17,6 +17,7 @@ data "aws_iam_role" "task_inherited" {
   count = var.is_organizational ? 1 : 0
   name  = var.organizational_config.connector_ecs_task_role_name
 }
+
 resource "aws_iam_role" "task" {
   count              = var.is_organizational ? 0 : 1
   name               = "${var.name}-${local.ecs_task_role_name_suffix}"
@@ -24,6 +25,7 @@ resource "aws_iam_role" "task" {
   path               = "/"
   tags               = var.tags
 }
+
 data "aws_iam_policy_document" "task_assume_role" {
   count = var.is_organizational ? 0 : 1
   statement {
@@ -70,6 +72,81 @@ data "aws_iam_policy_document" "iam_role_task_policy" {
   }
 }
 
+resource "aws_iam_role_policy" "trigger_scan" {
+  name   = "${var.name}-TriggerScan"
+  role   = local.ecs_task_role_id
+  policy = data.aws_iam_policy_document.trigger_scan.json
+}
+data "aws_iam_policy_document" "trigger_scan" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "codebuild:StartBuild"
+    ]
+    resources = [var.build_project_arn]
+  }
+}
+
+resource "aws_iam_role_policy" "task_definition_reader" {
+  name   = "TaskDefinitionReader"
+  role   = local.ecs_task_role_id
+  policy = data.aws_iam_policy_document.task_definition_reader.json
+}
+data "aws_iam_policy_document" "task_definition_reader" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "ecs:DescribeTaskDefinition"
+    ]
+    resources = ["*"]
+  }
+}
+
+
+resource "aws_iam_role_policy" "secrets_reader" {
+  name   = "SecretsReader"
+  role   = local.ecs_task_role_id
+  policy = data.aws_iam_policy_document.secrets_reader.json
+}
+
+data "aws_iam_policy_document" "secrets_reader" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt",
+      "secretsmanager:GetSecretValue"
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_role_policy" "ecr_reader" {
+  name   = "ECRReader"
+  role   = local.ecs_task_role_id
+  policy = data.aws_iam_policy_document.ecr_reader.json
+}
+
+data "aws_iam_policy_document" "ecr_reader" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "ecr:GetAuthorizationToken",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:GetRepositoryPolicy",
+      "ecr:DescribeRepositories",
+      "ecr:ListImages",
+      "ecr:DescribeImages",
+      "ecr:BatchGetImage",
+      "ecr:GetLifecyclePolicy",
+      "ecr:GetLifecyclePolicyPreview",
+      "ecr:ListTagsForResource",
+      "ecr:DescribeImageScanFindings"
+    ]
+    resources = ["*"]
+  }
+}
+
 #---------------------------------
 # execution role
 # This role is required by tasks to pull container images and publish container logs to Amazon CloudWatch on your behalf.
diff --git a/modules/services/cloud-connector/s3-config.tf b/modules/services/cloud-connector/s3-config.tf
index 6fd2aba1..4223a8b0 100644
--- a/modules/services/cloud-connector/s3-config.tf
+++ b/modules/services/cloud-connector/s3-config.tf
@@ -1,4 +1,3 @@
-
 locals {
   s3_bucket_config_id = aws_s3_bucket.s3_config_bucket.id
 }
@@ -11,16 +10,48 @@ resource "aws_s3_bucket_object" "config" {
 }
 
 locals {
-  default_config = <<CONFIG
-logging: info
-rules:
-  - s3:
-      bucket: ${local.s3_bucket_config_id}
-      path: rules
-ingestors:
-  - cloudtrail-sns-sqs:
-      queueURL: ${module.cloud_connector_sqs.cloudtrail_sns_subscribed_sqs_url}
-      %{if var.is_organizational}assumeRole: ${var.organizational_config.sysdig_secure_for_cloud_role_arn}
-%{endif~}
-CONFIG
+  default_config = yamlencode({
+    logging = "info"
+    rules = [
+      {
+        s3 = {
+          bucket = local.s3_bucket_config_id
+          path   = "rules"
+        }
+      }
+    ]
+    ingestors = [
+      {
+        cloudtrail-sns-sqs = merge(
+          {
+            queueURL = module.cloud_connector_sqs.cloudtrail_sns_subscribed_sqs_url
+          },
+          var.is_organizational ? {
+            assumeRole = var.organizational_config.sysdig_secure_for_cloud_role_arn
+          } : {}
+        )
+      }
+    ]
+    scanners = [
+      {
+        aws-ecr = merge({
+          codeBuildProject         = var.build_project_name
+          secureAPITokenSecretName = var.secure_api_token_secret_name
+          },
+          var.is_organizational ? {
+            masterOrganizationRole       = var.organizational_config.sysdig_secure_for_cloud_role_arn
+            organizationalRolePerAccount = var.organizational_config.organizational_role_per_account
+        } : {})
+
+        aws-ecs = merge({
+          codeBuildProject         = var.build_project_name
+          secureAPITokenSecretName = var.secure_api_token_secret_name
+          },
+          var.is_organizational ? {
+            masterOrganizationRole       = var.organizational_config.sysdig_secure_for_cloud_role_arn
+            organizationalRolePerAccount = var.organizational_config.organizational_role_per_account
+        } : {})
+      }
+    ]
+  })
 }
diff --git a/modules/services/cloud-connector/variables.tf b/modules/services/cloud-connector/variables.tf
index d7634d15..ac2623a2 100644
--- a/modules/services/cloud-connector/variables.tf
+++ b/modules/services/cloud-connector/variables.tf
@@ -8,6 +8,16 @@ variable "secure_api_token_secret_name" {
   description = "Sysdig Secure API token SSM parameter name"
 }
 
+variable "build_project_arn" {
+  type        = string
+  description = "Code Build project arn"
+}
+
+variable "build_project_name" {
+  type        = string
+  description = "Code Build project name"
+}
+
 
 #---------------------------------
 # vpc
@@ -51,16 +61,22 @@ variable "is_organizational" {
 variable "organizational_config" {
   type = object({
     sysdig_secure_for_cloud_role_arn = string
+    organizational_role_per_account  = string
     connector_ecs_task_role_name     = string
   })
   default = {
     sysdig_secure_for_cloud_role_arn = null
+    organizational_role_per_account  = null
     connector_ecs_task_role_name     = null
   }
 
   description = <<-EOT
     organizational_config. following attributes must be given
-    <ul><li>`sysdig_secure_for_cloud_role_arn` for cloud-connector assumeRole in order to read cloudtrail s3 events</li><li>and the `connector_ecs_task_role_name` which has been granted trusted-relationship over the secure_for_cloud_role</li></ul>
+    <ul>
+      <li>`sysdig_secure_for_cloud_role_arn` for cloud-connector assumeRole in order to read cloudtrail s3 events</li>
+      <li>`connector_ecs_task_role_name` which has been granted trusted-relationship over the secure_for_cloud_role</li>
+      <li>`organizational_role_per_account` is the name of the organizational role deployed by AWS in each account of the organization</li>
+    </ul>
   EOT
 }