diff --git a/aws_scale_templates/sub_modules/instance_template/main.tf b/aws_scale_templates/sub_modules/instance_template/main.tf
index 01af9fa3..43fba09c 100644
--- a/aws_scale_templates/sub_modules/instance_template/main.tf
+++ b/aws_scale_templates/sub_modules/instance_template/main.tf
@@ -70,10 +70,6 @@ module "cluster_host_iam_policy" {
                 "ec2:CreateTags*",
                 "ec2:ModifyInstanceAttribute",
                 "iam:GetRole",
-                "ssm:DescribeParameters",
-                "ssm:PutParameter",
-                "ssm:GetParameter",
-                "ssm:DeleteParameters",
                 "sns:DeleteTopic",
                 "sns:CreateTopic",
                 "sns:Unsubscribe",
diff --git a/resources/aws/security/iam/iam_role_policy/iam_role_policy.tf b/resources/aws/security/iam/iam_role_policy/iam_role_policy.tf
index b91182f6..f8da4d34 100644
--- a/resources/aws/security/iam/iam_role_policy/iam_role_policy.tf
+++ b/resources/aws/security/iam/iam_role_policy/iam_role_policy.tf
@@ -12,6 +12,10 @@ resource "aws_iam_role_policy" "itself" {
   name_prefix = var.role_policy_name_prefix
   role        = element(var.iam_role_id, count.index)
   policy      = var.iam_role_policy
+  # Admin might add/link custom IAM policies, hence avoid to overwrite it
+  lifecycle {
+    ignore_changes = all
+  }
 }
 
 output "role_name" {