diff --git a/examples/ingestion/main.tf b/examples/ingestion/main.tf
index 236daf2..20444f0 100644
--- a/examples/ingestion/main.tf
+++ b/examples/ingestion/main.tf
@@ -19,6 +19,9 @@ module "ingestion_iam" {
   opensearch_domain_arns = [
     "arn:aws:es:${local.region}:${local.account_id}:domain/${local.domain_name}",
   ]
+  custom_role_policy_arns = [
+    "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
+  ]
 }
 
 module "ingestion_pipeline" {
diff --git a/modules/ingestion/iam/README.md b/modules/ingestion/iam/README.md
index 436351b..e1cfe96 100644
--- a/modules/ingestion/iam/README.md
+++ b/modules/ingestion/iam/README.md
@@ -22,12 +22,13 @@
 
 | Name | Type |
 |------|------|
-| [aws_iam_policy_document.opensearch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.opensearch_ingestion](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_custom_role_policy_arns"></a> [custom\_role\_policy\_arns](#input\_custom\_role\_policy\_arns) | List of ARNs of IAM policies to attach to the pipeline IAM role | `list(string)` | `[]` | no |
 | <a name="input_opensearch_domain_arns"></a> [opensearch\_domain\_arns](#input\_opensearch\_domain\_arns) | (Optional) The ARN's of the OpenSearch domains to ingest data into | `list(string)` | `[]` | no |
 | <a name="input_pipeline_role_name"></a> [pipeline\_role\_name](#input\_pipeline\_role\_name) | The name of the pipline IAM role | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
diff --git a/modules/ingestion/iam/data.tf b/modules/ingestion/iam/data.tf
index b5d1a96..be62b1f 100644
--- a/modules/ingestion/iam/data.tf
+++ b/modules/ingestion/iam/data.tf
@@ -1,20 +1,32 @@
 data "aws_iam_policy_document" "opensearch_ingestion" {
+  count = local.create_opensearch_ingestion_policy ? 1 : 0
 
-  statement {
-    effect    = "Allow"
-    actions   = ["es:DescribeDomain"]
-    resources = var.opensearch_domain_arns
+  dynamic "statement" {
+    for_each = local.create_opensearch_ingestion_policy ? [1] : []
+    content {
+      effect    = "Allow"
+      actions   = ["es:DescribeDomain"]
+      resources = var.opensearch_domain_arns
+    }
   }
 
-  statement {
-    effect = "Allow"
-    actions = [
-      "es:ESHttpGet",
-      "es:ESHttpHead",
-      "es:ESHttpPatch",
-      "es:ESHttpPost",
-      "es:ESHttpPut",
-    ]
-    resources = [for domain in var.opensearch_domain_arns : "${domain}/*"]
+  dynamic "statement" {
+    for_each = local.create_opensearch_ingestion_policy ? [1] : []
+    content {
+      effect = "Allow"
+      actions = [
+        "es:ESHttpGet",
+        "es:ESHttpHead",
+        "es:ESHttpPatch",
+        "es:ESHttpPost",
+        "es:ESHttpPut",
+      ]
+      resources = [for domain in var.opensearch_domain_arns : "${domain}/*"]
+    }
   }
 }
+
+moved {
+  from = data.aws_iam_policy_document.opensearch_ingestion
+  to   = data.aws_iam_policy_document.opensearch_ingestion[0]
+}
diff --git a/modules/ingestion/iam/iam.tf b/modules/ingestion/iam/iam.tf
index 3fa94fb..06dd9d2 100644
--- a/modules/ingestion/iam/iam.tf
+++ b/modules/ingestion/iam/iam.tf
@@ -10,7 +10,7 @@ module "pipeline_role" {
     "osis-pipelines.amazonaws.com",
   ]
   role_requires_mfa       = false
-  custom_role_policy_arns = local.create_opensearch_ingestion_policy ? [module.pipeline_opensearch_policy.arn] : []
+  custom_role_policy_arns = local.create_opensearch_ingestion_policy ? concat([module.pipeline_opensearch_policy[0].arn], var.custom_role_policy_arns) : var.custom_role_policy_arns
 
   tags = var.tags
 }
@@ -19,12 +19,17 @@ module "pipeline_opensearch_policy" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
   version = "~> 5.5.0"
 
-  create_policy = local.create_opensearch_ingestion_policy
+  count = local.create_opensearch_ingestion_policy ? 1 : 0
 
   name        = "${var.pipeline_role_name}-ingestion-policy"
   path        = "/"
   description = "IAM Policy for Opensearch ingestion"
-  policy      = data.aws_iam_policy_document.opensearch_ingestion.json
+  policy      = data.aws_iam_policy_document.opensearch_ingestion[0].json
 
   tags = var.tags
 }
+
+moved {
+  from = module.pipeline_opensearch_policy
+  to   = module.pipeline_opensearch_policy[0]
+}
diff --git a/modules/ingestion/iam/outputs.tf b/modules/ingestion/iam/outputs.tf
index fd32ddd..1cb22d2 100644
--- a/modules/ingestion/iam/outputs.tf
+++ b/modules/ingestion/iam/outputs.tf
@@ -10,5 +10,5 @@ output "pipeline_role_arn" {
 
 output "opensearch_ingestion_policy_arn" {
   description = "ARN of the Opensearch ingestion policy"
-  value       = local.create_opensearch_ingestion_policy ? module.pipeline_opensearch_policy.arn : null
+  value       = local.create_opensearch_ingestion_policy ? module.pipeline_opensearch_policy[0].arn : null
 }
diff --git a/modules/ingestion/iam/variables.tf b/modules/ingestion/iam/variables.tf
index 2c321dd..57da975 100644
--- a/modules/ingestion/iam/variables.tf
+++ b/modules/ingestion/iam/variables.tf
@@ -9,6 +9,12 @@ variable "opensearch_domain_arns" {
   default     = []
 }
 
+variable "custom_role_policy_arns" {
+  description = "List of ARNs of IAM policies to attach to the pipeline IAM role"
+  type        = list(string)
+  default     = []
+}
+
 variable "tags" {
   description = "A map of tags to add to all resources"
   type        = map(string)