diff --git a/modules/security_identity_compliance/iam-user/README.md b/modules/security_identity_compliance/iam-user/README.md
index aba1001..df14578 100644
--- a/modules/security_identity_compliance/iam-user/README.md
+++ b/modules/security_identity_compliance/iam-user/README.md
@@ -8,36 +8,16 @@ module iam-user {
 
   default-tags    = local.default-tags
   iam-user-name   = var.iam-user-name
-  iam-user-policy = data.aws_iam_policy_document.user-policy.json
+  iam-user-policy = ""
   iam-user-policy-name = "SelfServicePermissions"
   create-access-key = false
   create-password = false
   managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
   create-group = true
+  add-to-groups = []
   iam-group-name = var.iam-group-name
 }
 
-data aws_iam_policy_document user-policy {
-  statement {
-    sid = "ManageOwnCredentials"
-
-    actions = [
-      "iam:ChangePassword",
-      "iam:CreateAccessKey",
-      "iam:DeleteAccessKey",
-      "iam:ListAccessKey",
-      "iam:CreateVirtualMFADevice",
-      "iam:EnableMFADevice",
-      "iam:ListMFA*",
-      "iam:ListVirtualMFA*",
-      "iam:ResyncMFADevice"
-    ]
-
-    effect = "Allow"
-    resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"]
-  }
-}
-
 output iam-user-arn {
   value = module.iam-user.iam-user-arn
 }
diff --git a/modules/security_identity_compliance/iam-user/main.tf b/modules/security_identity_compliance/iam-user/main.tf
index 54819a7..121a1a0 100644
--- a/modules/security_identity_compliance/iam-user/main.tf
+++ b/modules/security_identity_compliance/iam-user/main.tf
@@ -16,6 +16,33 @@ resource "aws_iam_user_policy" "iam-user-policy" {
   policy = var.iam-user-policy
 }
 
+resource "aws_iam_user_policy" iam-user-selfservice-policy {
+  name = "SelfServicePermissions"
+  user   = aws_iam_user.iam-user.name
+  policy = data.aws_iam_policy_document.user-policy.json
+}
+
+data aws_iam_policy_document user-policy {
+  statement {
+    sid = "ManageOwnCredentials"
+
+    actions = [
+      "iam:ChangePassword",
+      "iam:CreateAccessKey",
+      "iam:DeleteAccessKey",
+      "iam:ListAccessKey",
+      "iam:CreateVirtualMFADevice",
+      "iam:EnableMFADevice",
+      "iam:ListMFA*",
+      "iam:ListVirtualMFA*",
+      "iam:ResyncMFADevice"
+    ]
+
+    effect = "Allow"
+    resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"]
+  }
+}
+
 resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" {
   count = var.create-group ? 0: length(var.managed-policy-arns)
   user       = aws_iam_user.iam-user.name