diff --git a/modules/aws/files/bootstrap_role_iam_policy.json.tpl b/modules/aws/files/bootstrap_role_iam_policy.json.tpl
index 3412b6c..0b844e7 100644
--- a/modules/aws/files/bootstrap_role_iam_policy.json.tpl
+++ b/modules/aws/files/bootstrap_role_iam_policy.json.tpl
@@ -14,7 +14,8 @@
         "route53:ChangeTagsForResource",
         "support:*",
         "servicequotas:List*",
-        "servicequotas:Get*"
+        "servicequotas:Get*",
+        "sts:DecodeAuthorizationMessage"
       ],
       "Resource": "*"
     },
diff --git a/modules/aws/files/management_role_iam_policy.json.tpl b/modules/aws/files/management_role_iam_policy.json.tpl
index 7321d8c..5ff7944 100644
--- a/modules/aws/files/management_role_iam_policy.json.tpl
+++ b/modules/aws/files/management_role_iam_policy.json.tpl
@@ -25,7 +25,8 @@
         "route53:List*",
         "support:*",
         "servicequotas:List*",
-        "servicequotas:Get*"
+        "servicequotas:Get*",
+        "sts:DecodeAuthorizationMessage"
       ],
       "Resource": "*"
     },
diff --git a/modules/aws/files/runtime_iam_policy.json.tpl b/modules/aws/files/runtime_iam_policy.json.tpl
index 96c023e..28d4fdb 100644
--- a/modules/aws/files/runtime_iam_policy.json.tpl
+++ b/modules/aws/files/runtime_iam_policy.json.tpl
@@ -27,7 +27,7 @@
             "Effect": "Allow",
             "Action": [
                 "route53:ChangeResourceRecordSets",
-                "route53:ListResourceRecordSets" 
+                "route53:ListResourceRecordSets"
             ],
             "Resource": ${r53_zone_arns}
         },
@@ -54,7 +54,7 @@
                 "kms:ListGrants",
                 "kms:CreateGrant"
             ],
-            "Resource": [ ${kms_arns} ],  
+            "Resource": [ ${kms_arns} ],
             "Condition": {
                 "Bool": {
                     "kms:GrantIsForAWSResource": [
@@ -73,7 +73,7 @@
                 "kms:DescribeKey",
                 "kms:Decrypt"
             ],
-            "Resource": [ ${kms_arns} ]  
+            "Resource": [ ${kms_arns} ]
         },
         {
             "Sid": "s3b",
@@ -93,7 +93,7 @@
                 "s3:*Object",
                 "s3:*Multipart*"
             ],
-            "Resource": "arn:aws:s3:::${bucket_pattern}"  
+            "Resource": "arn:aws:s3:::${bucket_pattern}"
         },
         {
             "Sid": "vbc",
@@ -102,12 +102,20 @@
                 "ec2:CreateVolume",
                 "ec2:CreateSnapshot"
             ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "vbcd",
+            "Effect": "Deny",
+            "Action": [
+                "ec2:CreateVolume",
+                "ec2:CreateSnapshot"
+            ],
             "Resource": "*",
             "Condition": {
-                "StringLike": {
-                    "aws:RequestTag/kubernetes.io/cluster/${cluster_pattern}": [
-                        "owned"
-                    ]
+                "StringNotLike": {
+                    "aws:ResourceTag/Vendor": "StreamNative",
+                    "aws:Type": "snapshot"
                 }
             }
         },
@@ -135,11 +143,11 @@
             "Resource": "*",
             "Condition": {
                 "StringLike": {
-                    "aws:ResourceTag/kubernetes.io/cluster/${cluster_pattern}": [
-                        "owned"
+                    "aws:ResourceTag/Vendor": [
+                        "StreamNative"
                     ]
                 }
             }
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/modules/aws/variables.tf b/modules/aws/variables.tf
index 11d428a..9264944 100644
--- a/modules/aws/variables.tf
+++ b/modules/aws/variables.tf
@@ -69,7 +69,7 @@ variable "s3_bucket_pattern" {
 }
 
 variable "sn_policy_version" {
-  default     = "3.0.0"
+  default     = "3.1.0"
   description = "The value of SNVersion tag"
   type        = string
 }