diff --git a/.gitignore b/.gitignore
index 0c706a8..3f66cfc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 *.tfstate.backup
+*.tfstate
 *.tfstate.lock
 .terraform/
 .DS_Store
diff --git a/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/main.tf b/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/main.tf
index e8c6004..f8a0556 100644
--- a/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/main.tf
+++ b/layers/security_identity_compliance/cloudtrail_cloudwatchlogs/main.tf
@@ -8,4 +8,5 @@ module cloudtrail-cwl {
   project = var.project
   aws-region-short = var.aws-region-short
   default-tags = local.default-tags
+  cloudtrail-retain-days = 90
 }
\ No newline at end of file
diff --git a/layers/security_identity_compliance/job-function-roles/main.tf b/layers/security_identity_compliance/job-function-roles/main.tf
new file mode 100644
index 0000000..ac87797
--- /dev/null
+++ b/layers/security_identity_compliance/job-function-roles/main.tf
@@ -0,0 +1,11 @@
+data aws_caller_identity this {}
+
+module cloudtrail-cwl {
+  source = "../../../modules/security_identity_compliance/job-function-roles"
+  application = var.application
+  environment = var.environment
+  customer-name = var.customer-name
+  project = var.project
+  aws-region-short = var.aws-region-short
+  default-tags = local.default-tags
+}
\ No newline at end of file
diff --git a/layers/security_identity_compliance/job-function-roles/provider.tf b/layers/security_identity_compliance/job-function-roles/provider.tf
new file mode 100644
index 0000000..42906bf
--- /dev/null
+++ b/layers/security_identity_compliance/job-function-roles/provider.tf
@@ -0,0 +1,12 @@
+provider "aws" {
+  region = var.aws-region
+}
+
+terraform {
+  required_version = "> 0.12, < 0.13"
+  required_providers {
+    aws = ">= 3.25.0"
+  }
+}
+
+data "aws_availability_zones" "current" {}
\ No newline at end of file
diff --git a/layers/security_identity_compliance/job-function-roles/terraform.tfvars b/layers/security_identity_compliance/job-function-roles/terraform.tfvars
new file mode 100644
index 0000000..4335dc9
--- /dev/null
+++ b/layers/security_identity_compliance/job-function-roles/terraform.tfvars
@@ -0,0 +1,6 @@
+aws-region        = "ap-northeast-1"
+aws-region-short = "apne1"
+customer-name     = "kf"
+environment       = "lab"
+project           = "lime"
+application       = "infra"
\ No newline at end of file
diff --git a/layers/security_identity_compliance/job-function-roles/variables.tf b/layers/security_identity_compliance/job-function-roles/variables.tf
new file mode 100644
index 0000000..a521e9f
--- /dev/null
+++ b/layers/security_identity_compliance/job-function-roles/variables.tf
@@ -0,0 +1,20 @@
+variable "aws-region" {}
+variable "aws-region-short" {}
+variable "customer-name" {}
+variable "environment" {}
+variable "project" {}
+variable "application" {}
+
+locals {
+  default-tags = {
+    ServiceProvider = "Rackspace"
+    Environment = var.environment
+    Project = var.project
+    Application = var.application
+    TerraformMode = "managed"
+    BuildDate = formatdate("YYYYMMDD", timestamp())
+  }
+  ct-bucket-name = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}-ctbucket-${data.aws_caller_identity.this.account_id}"
+  resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
+}
+
diff --git a/modules/security_identity_compliance/cloudtrail_cwlogs/ct-s3-bucket.tf b/modules/security_identity_compliance/cloudtrail_cwlogs/ct-s3-bucket.tf
index 41820ff..271ca16 100644
--- a/modules/security_identity_compliance/cloudtrail_cwlogs/ct-s3-bucket.tf
+++ b/modules/security_identity_compliance/cloudtrail_cwlogs/ct-s3-bucket.tf
@@ -60,7 +60,7 @@ resource "aws_s3_bucket" "ct-bucket" {
       storage_class = "INTELLIGENT_TIERING"
     }
     expiration {
-      days = 90
+      days = var.cloudtrail-retain-days
     }
   }
 }
diff --git a/modules/security_identity_compliance/cloudtrail_cwlogs/cw-loggroup.tf b/modules/security_identity_compliance/cloudtrail_cwlogs/cw-loggroup.tf
index f8a6764..25a9924 100644
--- a/modules/security_identity_compliance/cloudtrail_cwlogs/cw-loggroup.tf
+++ b/modules/security_identity_compliance/cloudtrail_cwlogs/cw-loggroup.tf
@@ -1,6 +1,6 @@
 resource "aws_cloudwatch_log_group" "ct-cwl" {
   name = "${local.resource-prefix}-cwl-001"
-  retention_in_days = 90
+  retention_in_days = var.cloudtrail-retain-days
   kms_key_id = aws_kms_key.ctbucket-key.arn
   tags  = var.default-tags
 }
diff --git a/modules/security_identity_compliance/cloudtrail_cwlogs/variables.tf b/modules/security_identity_compliance/cloudtrail_cwlogs/variables.tf
index 0d091b4..24b947b 100644
--- a/modules/security_identity_compliance/cloudtrail_cwlogs/variables.tf
+++ b/modules/security_identity_compliance/cloudtrail_cwlogs/variables.tf
@@ -4,6 +4,11 @@ variable "project" {}
 variable "application" {}
 variable "aws-region-short" {}
 variable "default-tags" {}
+variable "cloudtrail-retain-days" {
+  type = number
+  default = 90
+}
+
 locals {
   ct-bucket-name = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}-ctbucket-${data.aws_caller_identity.this.account_id}"
   resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
diff --git a/modules/security_identity_compliance/job-function-roles/main.tf b/modules/security_identity_compliance/job-function-roles/main.tf
new file mode 100644
index 0000000..7a210f6
--- /dev/null
+++ b/modules/security_identity_compliance/job-function-roles/main.tf
@@ -0,0 +1,108 @@
+/*
+ Create IAM roles based on job functions
+ https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html
+
+ - Administrator
+ - Billing
+ - Database admin
+ - Network admin
+ - Developers
+ - Readonly and support
+*/
+
+data aws_caller_identity this {}
+
+data aws_iam_policy_document assume-role-policy {
+  statement {
+    sid = "AllowMyAccount"
+    effect = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      identifiers = [data.aws_caller_identity.this.account_id]
+      type = "AWS"
+    }
+  }
+}
+
+resource aws_iam_role administrator-role {
+  name = "${var.environment}-awsadmin"
+  tags = var.default-tags
+  assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
+  path = "/${var.customer-name}/"
+  max_session_duration = 7200
+}
+
+resource "aws_iam_role_policy_attachment" "administrator-role-policy-attach" {
+  role       = aws_iam_role.administrator-role.name
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+
+resource aws_iam_role billing-role {
+  name = "${var.environment}-billing"
+  tags = var.default-tags
+  assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
+  path = "/${var.customer-name}/"
+  max_session_duration = 3600
+}
+
+resource "aws_iam_role_policy_attachment" "billing-role-policy-attach" {
+  role       = aws_iam_role.billing-role.name
+  policy_arn = "arn:aws:iam::aws:policy/job-function/Billing"
+}
+
+resource aws_iam_role dba-role {
+  name = "${var.environment}-dba"
+  tags = var.default-tags
+  assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
+  path = "/${var.customer-name}/"
+  max_session_duration = 7200
+}
+
+resource "aws_iam_role_policy_attachment" "dba-role-policy-attach" {
+  role       = aws_iam_role.dba-role.name
+  policy_arn = "arn:aws:iam::aws:policy/job-function/DatabaseAdministrator"
+}
+
+resource aws_iam_role network-admin-role {
+  name = "${var.environment}-networkadmin"
+  tags = var.default-tags
+  assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
+  path = "/${var.customer-name}/"
+  max_session_duration = 7200
+}
+
+resource "aws_iam_role_policy_attachment" "network-admin-role-policy-attach" {
+  role       = aws_iam_role.network-admin-role.name
+  policy_arn = "arn:aws:iam::aws:policy/job-function/NetworkAdministrator"
+}
+
+resource aws_iam_role developer-role {
+  name = "${var.environment}-developer"
+  tags = var.default-tags
+  assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
+  path = "/${var.customer-name}/"
+  max_session_duration = 7200
+}
+
+resource "aws_iam_role_policy_attachment" "developer-role-policy-attach1" {
+  role       = aws_iam_role.developer-role.name
+  policy_arn = "arn:aws:iam::aws:policy/PowerUserAccess"
+}
+
+resource aws_iam_role support-role {
+  name = "${var.environment}-support"
+  tags = var.default-tags
+  assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json
+  path = "/${var.customer-name}/"
+  max_session_duration = 7200
+}
+
+resource "aws_iam_role_policy_attachment" "support-role-policy-attach1" {
+  role       = aws_iam_role.support-role.name
+  policy_arn = "arn:aws:iam::aws:policy/job-function/SupportUser"
+}
+
+resource "aws_iam_role_policy_attachment" "support-role-policy-attach2" {
+  role       = aws_iam_role.support-role.name
+  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+}
diff --git a/modules/security_identity_compliance/job-function-roles/variables.tf b/modules/security_identity_compliance/job-function-roles/variables.tf
new file mode 100644
index 0000000..24b947b
--- /dev/null
+++ b/modules/security_identity_compliance/job-function-roles/variables.tf
@@ -0,0 +1,16 @@
+variable "customer-name" {}
+variable "environment" {}
+variable "project" {}
+variable "application" {}
+variable "aws-region-short" {}
+variable "default-tags" {}
+variable "cloudtrail-retain-days" {
+  type = number
+  default = 90
+}
+
+locals {
+  ct-bucket-name = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}-ctbucket-${data.aws_caller_identity.this.account_id}"
+  resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
+}
+