diff --git a/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/variables.tf b/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/variables.tf
index a521e9f..b321ef4 100644
--- a/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/variables.tf
+++ b/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/variables.tf
@@ -7,11 +7,13 @@ variable "application" {}
 
 locals {
   default-tags = {
-    ServiceProvider = "Rackspace"
+    ServiceProvider = "RackspaceTechnology"
     Environment = var.environment
     Project = var.project
     Application = var.application
     TerraformMode = "managed"
+    TerraformDir = trimprefix(path.cwd, "/my/work/xpk-git/")
+    CreatedBy = split(":",data.aws_caller_identity.this.user_id)[1]
     BuildDate = formatdate("YYYYMMDD", timestamp())
   }
   ct-bucket-name = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}-ctbucket-${data.aws_caller_identity.this.account_id}"
diff --git a/layers/security_identity_compliance/iam_roles/variables.tf b/layers/security_identity_compliance/iam_roles/variables.tf
index a521e9f..b321ef4 100644
--- a/layers/security_identity_compliance/iam_roles/variables.tf
+++ b/layers/security_identity_compliance/iam_roles/variables.tf
@@ -7,11 +7,13 @@ variable "application" {}
 
 locals {
   default-tags = {
-    ServiceProvider = "Rackspace"
+    ServiceProvider = "RackspaceTechnology"
     Environment = var.environment
     Project = var.project
     Application = var.application
     TerraformMode = "managed"
+    TerraformDir = trimprefix(path.cwd, "/my/work/xpk-git/")
+    CreatedBy = split(":",data.aws_caller_identity.this.user_id)[1]
     BuildDate = formatdate("YYYYMMDD", timestamp())
   }
   ct-bucket-name = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}-ctbucket-${data.aws_caller_identity.this.account_id}"
diff --git a/modules/security_identity_compliance/roles_iam_resources/main.tf b/modules/security_identity_compliance/roles_iam_resources/main.tf
index 7a210f6..aee779d 100644
--- a/modules/security_identity_compliance/roles_iam_resources/main.tf
+++ b/modules/security_identity_compliance/roles_iam_resources/main.tf
@@ -26,6 +26,7 @@ data aws_iam_policy_document assume-role-policy {
 
 resource aws_iam_role administrator-role {
   name = "${var.environment}-awsadmin"
+  description = "Provides full access to AWS services and resources."
   tags = var.default-tags
   assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
   path = "/${var.customer-name}/"
@@ -39,6 +40,7 @@ resource "aws_iam_role_policy_attachment" "administrator-role-policy-attach" {
 
 resource aws_iam_role billing-role {
   name = "${var.environment}-billing"
+  description = "Grants permissions for billing and cost management."
   tags = var.default-tags
   assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
   path = "/${var.customer-name}/"
@@ -52,6 +54,7 @@ resource "aws_iam_role_policy_attachment" "billing-role-policy-attach" {
 
 resource aws_iam_role dba-role {
   name = "${var.environment}-dba"
+  description = "AWS database admin role"
   tags = var.default-tags
   assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
   path = "/${var.customer-name}/"
@@ -65,6 +68,7 @@ resource "aws_iam_role_policy_attachment" "dba-role-policy-attach" {
 
 resource aws_iam_role network-admin-role {
   name = "${var.environment}-networkadmin"
+  description = "AWS network admin role"
   tags = var.default-tags
   assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
   path = "/${var.customer-name}/"
@@ -78,6 +82,7 @@ resource "aws_iam_role_policy_attachment" "network-admin-role-policy-attach" {
 
 resource aws_iam_role developer-role {
   name = "${var.environment}-developer"
+  description = "Provides full access to AWS resources excluding IAM."
   tags = var.default-tags
   assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
   path = "/${var.customer-name}/"
@@ -89,8 +94,23 @@ resource "aws_iam_role_policy_attachment" "developer-role-policy-attach1" {
   policy_arn = "arn:aws:iam::aws:policy/PowerUserAccess"
 }
 
+resource aws_iam_role securityaudit-role {
+  name = "${var.environment}-securityaudit"
+  description = "Role to read security configuration metadata."
+  tags = var.default-tags
+  assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
+  path = "/${var.customer-name}/"
+  max_session_duration = 7200
+}
+
+resource "aws_iam_role_policy_attachment" "securityaudit-role-policy-attach1" {
+  role       = aws_iam_role.securityaudit-role.name
+  policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
+}
+
 resource aws_iam_role support-role {
   name = "${var.environment}-support"
+  description = "Role to troubleshoot and resolve issues in AWS."
   tags = var.default-tags
   assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
   path = "/${var.customer-name}/"