diff --git a/layers/security_identity_compliance/iam_roles/main.tf b/layers/security_identity_compliance/iam_roles/main.tf
index eaeb3e3..98a312e 100644
--- a/layers/security_identity_compliance/iam_roles/main.tf
+++ b/layers/security_identity_compliance/iam_roles/main.tf
@@ -8,4 +8,6 @@ module iam-module {
   project = var.project
   aws-region-short = var.aws-region-short
   default-tags = local.default-tags
+  cloudheath-ext-id1 = "87adcc8d76e0bc18ac67e1c4a7acbc"
+  cloudheath-ext-id2 = "68c32aa2f429c59528ae79c713159f"
 }
\ No newline at end of file
diff --git a/modules/security_identity_compliance/roles_iam_resources/cloudhealth-role.tf b/modules/security_identity_compliance/roles_iam_resources/cloudhealth-role.tf
new file mode 100644
index 0000000..1f4f3d7
--- /dev/null
+++ b/modules/security_identity_compliance/roles_iam_resources/cloudhealth-role.tf
@@ -0,0 +1,138 @@
+resource aws_iam_role cloudhealth-role {
+  name = "CloudHealth-Role"
+  tags = var.default-tags
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::454464851268:root"
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": [
+            "${var.cloudheath-ext-id1}",
+            "${var.cloudheath-ext-id2}"
+          ]
+        }
+      }
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_policy" "CloudHealth-Policy" {
+  name   = "CloudHealthPolicy"
+  policy = <<-EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": [
+                "autoscaling:Describe*",
+                "aws-portal:ViewBilling",
+                "aws-portal:ViewUsage",
+                "cloudformation:ListStacks",
+                "cloudformation:ListStackResources",
+                "cloudformation:DescribeStacks",
+                "cloudformation:DescribeStackEvents",
+                "cloudformation:DescribeStackResources",
+                "cloudformation:GetTemplate",
+                "cloudfront:Get*",
+                "cloudfront:List*",
+                "cloudtrail:DescribeTrails",
+                "cloudtrail:ListTags",
+                "cloudtrail:Get*",
+                "cloudwatch:Describe*",
+                "cloudwatch:Get*",
+                "cloudwatch:List*",
+                "config:Get*",
+                "config:Describe*",
+                "config:Deliver*",
+                "config:List*",
+                "cur:Describe*",
+                "dms:Describe*",
+                "dms:List*",
+                "dynamodb:DescribeTable",
+                "dynamodb:List*",
+                "ec2:Describe*",
+                "ec2:DescribeRegions",
+                "ec2:GetReservedInstancesExchangeQuote",
+                "ecs:List*",
+                "ecs:Describe*",
+                "elasticache:Describe*",
+                "elasticache:ListTagsForResource",
+                "elasticbeanstalk:Check*",
+                "elasticbeanstalk:Describe*",
+                "elasticbeanstalk:List*",
+                "elasticbeanstalk:RequestEnvironmentInfo",
+                "elasticbeanstalk:RetrieveEnvironmentInfo",
+                "elasticfilesystem:Describe*",
+                "elasticloadbalancing:Describe*",
+                "elasticmapreduce:Describe*",
+                "elasticmapreduce:List*",
+                "es:List*",
+                "es:Describe*",
+                "es:DescribeReservedElasticsearchInstances",
+                "firehose:ListDeliveryStreams",
+                "firehose:DescribeDeliveryStream",
+                "iam:List*",
+                "iam:Get*",
+                "iam:GenerateCredentialReport",
+                "kinesis:Describe*",
+                "kinesis:List*",
+                "kms:DescribeKey",
+                "kms:GetKeyRotationStatus",
+                "kms:ListKeys",
+                "lambda:List*",
+                "logs:Describe*",
+                "organizations:ListAccounts",
+                "organizations:ListTagsForResource",
+                "redshift:Describe*",
+                "route53:Get*",
+                "route53:List*",
+                "rds:Describe*",
+                "rds:ListTagsForResource",
+                "s3:GetAccountPublicAccessBlock",
+                "s3:GetBucketAcl",
+                "s3:GetBucketLocation",
+                "s3:GetBucketLogging",
+                "s3:GetBucketPolicy",
+                "s3:GetBucketPolicyStatus",
+                "s3:GetBucketPublicAccessBlock",
+                "s3:GetBucketTagging",
+                "s3:GetBucketVersioning",
+                "s3:GetBucketWebsite",
+                "s3:List*",
+                "sagemaker:Describe*",
+                "sagemaker:List*",
+                "savingsplans:DescribeSavingsPlans",
+                "sdb:GetAttributes",
+                "sdb:List*",
+                "ses:Get*",
+                "ses:List*",
+                "sns:Get*",
+                "sns:List*",
+                "sqs:GetQueueAttributes",
+                "sqs:ListQueues",
+                "storagegateway:List*",
+                "storagegateway:Describe*",
+                "workspaces:Describe*"
+            ],
+            "Resource": "*",
+            "Effect": "Allow"
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "cloudhealth-role-policy-attach" {
+  role       = aws_iam_role.cloudhealth-role.name
+  policy_arn = aws_iam_policy.CloudHealth-Policy.arn
+}
+
diff --git a/modules/security_identity_compliance/roles_iam_resources/variables.tf b/modules/security_identity_compliance/roles_iam_resources/variables.tf
index 24b947b..c1879b4 100644
--- a/modules/security_identity_compliance/roles_iam_resources/variables.tf
+++ b/modules/security_identity_compliance/roles_iam_resources/variables.tf
@@ -8,6 +8,8 @@ variable "cloudtrail-retain-days" {
   type = number
   default = 90
 }
+variable "cloudheath-ext-id1" {}
+variable "cloudheath-ext-id2" {}
 
 locals {
   ct-bucket-name = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}-ctbucket-${data.aws_caller_identity.this.account_id}"