diff --git a/README.md b/README.md
index 4b6e160..c0c6187 100644
--- a/README.md
+++ b/README.md
@@ -16,7 +16,8 @@ This repository contains a number of Terraform modules for creation of the pre-r
 | [terraform-aws-fw-vpc](modules/terraform-aws-fw-vpc/README.md) | Module for creation of the VPC networking resources on AWS suitable for running a Firewall in a distributed architecture on AWS. Can be used to create a networking VPC which runs the AWS Network Firewall and connects to a Cloudera on cloud full-private deployment. |
 | [terraform-aws-tgw](modules/terraform-aws-tgw/README.md) | Module for creation of AWS Transity Gateway (TGW) and attaching a specified list of VPCs via the TGW. This module can be used to assist in deploying Cloudera Data Platform (CDP) Public Cloud in a fully private networking configuration where a CDP VPC and Networking VPC are connected using the Transit Gateway. |
 | [terraform-aws-bastion](modules/terraform-aws-bastion/README.md) | Module to create a Bastion EC2 instance on AWS. This module can be used to assist in deploying Cloudera Data Platform (CDP) Public Cloud in a secure environment, where the CDP Environment requires a Bastion host. |
-| [terraform-aws-proxy](modules/terraform-aws-proxy/README.md) | Module to create and configure and EC2 Auto-Scaling Group for a highly available Squid Proxy service with Network Load Balancer (NLB) to forward traffic to the proxy instances. This module can be used to assist in deploying Cloudera Data Platform (CDP) Public Cloud in a fully private networking configuration where a the CDP Environments uses a proxy config via the NLB. |
+| [terraform-aws-cml-permissions](modules/terraform-aws-cml-permissions/README.md) | Module to create AWS IAM policies required for the Cloudera Machine Learning (CML) backup and restore. |
+| [terraform-aws-permissions](modules/terraform-aws-permissions/README.md) | Module for creation of the AWS IAM permissions required by the (CDP) Public Cloud environment and datalake deployment. Note that this module is called from the terraform-cdp-aws-prereqs module. |
 | [terraform-aws-firewall](modules/terraform-aws-firewall/README.md) | Module to create and configure to create and configure an AWS Network Firewall. This module can be used to assist in deploying Cloudera Data Platform (CDP) Public Cloud in a fully private networking configuration where the CDP Environment is connected to a Networking VPC running the Firewall. |
 | [terraform-azure-nfs](modules/terraform-azure-nfs/README.md) | Module for creation of Azure NFS File Share required for Cloudera Machine Learning (CML) Public Cloud. Also optionally creates a Virtual Machine which can be used to mount and set the required ownership for CML workspace's projects folder.|
 | [terraform-azure-cdw-permissions](modules/terraform-azure-cdw-permissions/README.md) | Module for creation of the Azure Kubernetes Service (AKS) managed identity required for the Cloudera Data Warehouse (CDW) service.|
diff --git a/modules/terraform-aws-cml-permissions/README.md b/modules/terraform-aws-cml-permissions/README.md
new file mode 100644
index 0000000..bd704ee
--- /dev/null
+++ b/modules/terraform-aws-cml-permissions/README.md
@@ -0,0 +1,61 @@
+<!-- BEGIN_TF_DOCS -->
+# Terraform Module for AWS IAM Permissions for CML
+
+This module contains resource files and example variable definition files for creation of the AWS IAM policies required for the Cloudera Machine Learning (CML) backup and restore functionality. This requirement is described [in this section](https://docs.cloudera.com/machine-learning/cloud/workspaces/topics/ml-backup-restore-prerequisites.html) of the CML documentation.
+
+## Usage
+
+The [examples](./examples) directory has an example AWS IAM policy creation on AWS:
+
+* `ex01-minimal-inputs` uses the minimum set of inputs for the module.
+
+An example `terraform.tfvars.sample` values file is included to show input variable values.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~>5.30 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~>5.30 |
+| <a name="provider_http"></a> [http](#provider\_http) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.cml_backup_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.cml_restore_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role_policy_attachment.cdp_xaccount_role_cml_backup_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.cdp_xaccount_role_cml_restore_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role.xaccount_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source |
+| [http_http.cml_backup_policy_doc](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
+| [http_http.cml_restore_policy_doc](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_cml_backup_policy_name"></a> [cml\_backup\_policy\_name](#input\_cml\_backup\_policy\_name) | CDP CML Backup Policy name | `string` | n/a | yes |
+| <a name="input_cml_restore_policy_name"></a> [cml\_restore\_policy\_name](#input\_cml\_restore\_policy\_name) | CDP CML Restore Policy name | `string` | n/a | yes |
+| <a name="input_xaccount_role_name"></a> [xaccount\_role\_name](#input\_xaccount\_role\_name) | Name of existing cross account Assume role Name. | `string` | n/a | yes |
+| <a name="input_cml_backup_policy_doc"></a> [cml\_backup\_policy\_doc](#input\_cml\_backup\_policy\_doc) | Contents of CDP CML Backup Policy Document. If not specified document is downloaded from Cloudera Document repository | `string` | `null` | no |
+| <a name="input_cml_restore_policy_doc"></a> [cml\_restore\_policy\_doc](#input\_cml\_restore\_policy\_doc) | Contents of CDP CML Restore Policy Document. If not specified document is downloaded from Cloudera Document repository | `string` | `null` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Tags applied to provised resources | `map(any)` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_aws_cml_backup_policy_arn"></a> [aws\_cml\_backup\_policy\_arn](#output\_aws\_cml\_backup\_policy\_arn) | CML Backup IAM Policy ARN |
+| <a name="output_aws_cml_restore_policy_arn"></a> [aws\_cml\_restore\_policy\_arn](#output\_aws\_cml\_restore\_policy\_arn) | CML Restore IAM Policy ARN |
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/modules/terraform-aws-cml-permissions/data.tf b/modules/terraform-aws-cml-permissions/data.tf
new file mode 100644
index 0000000..5482ddc
--- /dev/null
+++ b/modules/terraform-aws-cml-permissions/data.tf
@@ -0,0 +1,29 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+data "aws_iam_role" "xaccount_role" {
+
+  name = var.xaccount_role_name
+}
+
+# HTTP get request to download policy documents
+# ..CML Backup Policy
+data "http" "cml_backup_policy_doc" {
+  url = "https://docs.cloudera.com/machine-learning/cloud/cml-backup-policy.json"
+}
+
+# ..CML Restore Policy
+data "http" "cml_restore_policy_doc" {
+  url = "https://docs.cloudera.com/machine-learning/cloud/cml-restore-policy.json"
+}
diff --git a/modules/terraform-aws-cml-permissions/defaults.tf b/modules/terraform-aws-cml-permissions/defaults.tf
new file mode 100644
index 0000000..283f094
--- /dev/null
+++ b/modules/terraform-aws-cml-permissions/defaults.tf
@@ -0,0 +1,23 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+locals {
+
+  # CML Backup Policy document
+  cml_backup_policy_doc = coalesce(var.cml_backup_policy_doc, data.http.cml_backup_policy_doc.response_body)
+
+  # CML Backup Policy document
+  cml_restore_policy_doc = coalesce(var.cml_restore_policy_doc, data.http.cml_restore_policy_doc.response_body)
+
+}
\ No newline at end of file
diff --git a/modules/terraform-aws-cml-permissions/doc_fragments/header.md b/modules/terraform-aws-cml-permissions/doc_fragments/header.md
new file mode 100644
index 0000000..c2fb7e2
--- /dev/null
+++ b/modules/terraform-aws-cml-permissions/doc_fragments/header.md
@@ -0,0 +1,11 @@
+# Terraform Module for AWS IAM Permissions for CML
+
+This module contains resource files and example variable definition files for creation of the AWS IAM policies required for the Cloudera Machine Learning (CML) backup and restore functionality. This requirement is described [in this section](https://docs.cloudera.com/machine-learning/cloud/workspaces/topics/ml-backup-restore-prerequisites.html) of the CML documentation.
+
+## Usage
+
+The [examples](./examples) directory has an example AWS IAM policy creation on AWS:
+
+* `ex01-minimal-inputs` uses the minimum set of inputs for the module.
+
+An example `terraform.tfvars.sample` values file is included to show input variable values.
diff --git a/modules/terraform-aws-cml-permissions/examples/ex01-minimal-inputs/main.tf b/modules/terraform-aws-cml-permissions/examples/ex01-minimal-inputs/main.tf
new file mode 100644
index 0000000..e40df79
--- /dev/null
+++ b/modules/terraform-aws-cml-permissions/examples/ex01-minimal-inputs/main.tf
@@ -0,0 +1,72 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_version = ">= 1.5.7"
+  required_providers {
+    cdp = {
+      source  = "cloudera/cdp"
+      version = ">= 0.6.1"
+    }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~>5.30"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.aws_region
+}
+
+module "xaccount_iam_role" {
+  source = "../../../terraform-aws-cred-permissions"
+
+  tags = var.tags
+
+  # Using CDP TF Provider cred pre-reqs data source for values of xaccount account_id and external_id
+  xaccount_account_id  = data.cdp_environments_aws_credential_prerequisites.cdp_prereqs.account_id
+  xaccount_external_id = data.cdp_environments_aws_credential_prerequisites.cdp_prereqs.external_id
+
+  xaccount_policy_name        = "${var.env_prefix}-xaccount-policy"
+  xaccount_account_policy_doc = base64decode(data.cdp_environments_aws_credential_prerequisites.cdp_prereqs.policy)
+
+  xaccount_role_name = "${var.env_prefix}-xaccount-role"
+
+  # Create assume role trust relationship required for CML backup and restore
+  create_cml_assume_role_policy = true
+}
+
+module "ex01_minimal_inputs" {
+  source = "../.."
+
+  tags = var.tags
+
+  cml_backup_policy_name  = "${var.env_prefix}-cml-backup-policy"
+  cml_restore_policy_name = "${var.env_prefix}-cml-restore-policy"
+
+  xaccount_role_name = module.xaccount_iam_role.aws_xaccount_role_name
+
+  depends_on = [module.xaccount_iam_role]
+}
+
+# Use the CDP Terraform Provider to find the xaccount account and external ids
+data "cdp_environments_aws_credential_prerequisites" "cdp_prereqs" {}
+
+# ------- Outputs -------
+output "xaccount_role_arn" {
+  value = module.xaccount_iam_role.aws_xaccount_role_arn
+
+  description = "The ARN of the created Cross Account Role"
+}
diff --git a/modules/terraform-aws-cml-permissions/examples/ex01-minimal-inputs/terraform.tfvars.sample b/modules/terraform-aws-cml-permissions/examples/ex01-minimal-inputs/terraform.tfvars.sample
new file mode 100644
index 0000000..0605f9c
--- /dev/null
+++ b/modules/terraform-aws-cml-permissions/examples/ex01-minimal-inputs/terraform.tfvars.sample
@@ -0,0 +1,27 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# ------- Global settings -------
+env_prefix = "<ENTER_VALUE>" # Required name prefix for cloud and CDP resources, e.g. cldr1
+
+# ------- Cloud Settings -------
+aws_region = "<ENTER_VALUE>" # Change this to specify Cloud Provider region, e.g. eu-west-1
+
+# ------- Resource Tagging -------
+# **NOTE: An example of how to specify tags is below; uncomment & edit if required
+tags = {
+  owner   = "<ENTER_VALUE>"
+  project = "<ENTER_VALUE>"
+  enddate = "<ENTER_VALUE>"
+}
diff --git a/modules/terraform-aws-cml-permissions/examples/ex01-minimal-inputs/variables.tf b/modules/terraform-aws-cml-permissions/examples/ex01-minimal-inputs/variables.tf
new file mode 100644
index 0000000..f9868b8
--- /dev/null
+++ b/modules/terraform-aws-cml-permissions/examples/ex01-minimal-inputs/variables.tf
@@ -0,0 +1,31 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# ------- Global settings -------
+variable "aws_region" {
+  type        = string
+  description = "Region which Cloud resources will be created"
+}
+
+variable "env_prefix" {
+  type        = string
+  description = "Shorthand name for the environment. Used in resource descriptions"
+}
+
+variable "tags" {
+  type        = map(any)
+  description = "Tags applied to provised resources"
+
+  default = null
+}
diff --git a/modules/terraform-aws-cml-permissions/main.tf b/modules/terraform-aws-cml-permissions/main.tf
new file mode 100644
index 0000000..bd6c519
--- /dev/null
+++ b/modules/terraform-aws-cml-permissions/main.tf
@@ -0,0 +1,44 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# ------- Cross Account Policy -------
+resource "aws_iam_policy" "cml_backup_policy" {
+  name        = var.cml_backup_policy_name
+  description = "CDP CML Workspace Backup policy"
+
+  tags = merge(var.tags, { Name = var.cml_backup_policy_name })
+
+  policy = local.cml_backup_policy_doc
+}
+
+resource "aws_iam_policy" "cml_restore_policy" {
+  name        = var.cml_restore_policy_name
+  description = "CDP CML Workspace Restore policy"
+
+  tags = merge(var.tags, { Name = var.cml_restore_policy_name })
+
+  policy = local.cml_restore_policy_doc
+}
+
+# Attach CML backup policy to the xaccount role 
+resource "aws_iam_role_policy_attachment" "cdp_xaccount_role_cml_backup_attach" {
+  role       = data.aws_iam_role.xaccount_role.name
+  policy_arn = aws_iam_policy.cml_backup_policy.arn
+}
+
+# Attach CML restore policy to the xaccount role 
+resource "aws_iam_role_policy_attachment" "cdp_xaccount_role_cml_restore_attach" {
+  role       = data.aws_iam_role.xaccount_role.name
+  policy_arn = aws_iam_policy.cml_restore_policy.arn
+}
\ No newline at end of file
diff --git a/modules/terraform-aws-cml-permissions/outputs.tf b/modules/terraform-aws-cml-permissions/outputs.tf
new file mode 100644
index 0000000..921adb1
--- /dev/null
+++ b/modules/terraform-aws-cml-permissions/outputs.tf
@@ -0,0 +1,25 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+output "aws_cml_backup_policy_arn" {
+  value = aws_iam_policy.cml_backup_policy.arn
+
+  description = "CML Backup IAM Policy ARN"
+}
+
+output "aws_cml_restore_policy_arn" {
+  value = aws_iam_policy.cml_restore_policy.arn
+
+  description = "CML Restore IAM Policy ARN"
+}
diff --git a/modules/terraform-aws-cml-permissions/provider.tf b/modules/terraform-aws-cml-permissions/provider.tf
new file mode 100644
index 0000000..bc9290c
--- /dev/null
+++ b/modules/terraform-aws-cml-permissions/provider.tf
@@ -0,0 +1,28 @@
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~>5.30"
+    }
+    http = {
+      source  = "hashicorp/http"
+      version = ">= 3.2.1"
+    }
+  }
+
+  required_version = ">= 1.3.0"
+}
\ No newline at end of file
diff --git a/modules/terraform-aws-cml-permissions/variables.tf b/modules/terraform-aws-cml-permissions/variables.tf
new file mode 100644
index 0000000..51f877b
--- /dev/null
+++ b/modules/terraform-aws-cml-permissions/variables.tf
@@ -0,0 +1,68 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# ------- Global settings -------
+variable "tags" {
+  type        = map(any)
+  description = "Tags applied to provised resources"
+
+  default = null
+}
+
+# ------- IAM Policy details -------
+variable "cml_backup_policy_name" {
+  type = string
+
+  description = "CDP CML Backup Policy name"
+
+  validation {
+    condition     = length(var.cml_backup_policy_name) <= 128
+    error_message = "The length of cml_backup_policy_name must be 128 characters or less."
+  }
+}
+
+variable "cml_restore_policy_name" {
+  type = string
+
+  description = "CDP CML Restore Policy name"
+
+  validation {
+    condition     = length(var.cml_restore_policy_name) <= 128
+    error_message = "The length of cml_restore_policy_name must be 128 characters or less."
+  }
+
+}
+
+variable "cml_backup_policy_doc" {
+  type = string
+
+  description = "Contents of CDP CML Backup Policy Document. If not specified document is downloaded from Cloudera Document repository"
+
+  default = null
+}
+
+variable "cml_restore_policy_doc" {
+  type = string
+
+  description = "Contents of CDP CML Restore Policy Document. If not specified document is downloaded from Cloudera Document repository"
+
+  default = null
+}
+
+# ------- Cross Account Roles -------
+variable "xaccount_role_name" {
+  type        = string
+  description = "Name of existing cross account Assume role Name."
+
+}
diff --git a/modules/terraform-aws-cred-permissions/README.md b/modules/terraform-aws-cred-permissions/README.md
index 7ab2859..1af18ab 100644
--- a/modules/terraform-aws-cred-permissions/README.md
+++ b/modules/terraform-aws-cred-permissions/README.md
@@ -41,13 +41,16 @@ No modules.
 | [aws_iam_role.cdp_xaccount_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy.cdp_xaccount_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [time_sleep.iam_propagation](https://registry.terraform.io/providers/hashicorp/time/0.9.1/docs/resources/sleep) | resource |
+| [aws_iam_policy_document.cdp_xaccount_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cdp_xaccount_role_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cml_backup_assume_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_role.existing_xaccount_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_create_cml_assume_role_policy"></a> [create\_cml\_assume\_role\_policy](#input\_create\_cml\_assume\_role\_policy) | Add AWS Backup Service, required for CML Backup and Restore, to Cross Account Trust Relationship. | `bool` | `false` | no |
 | <a name="input_existing_xaccount_role_name"></a> [existing\_xaccount\_role\_name](#input\_existing\_xaccount\_role\_name) | Name of existing CDP Cross Account Role. If set then no policy or role resources are created. | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags applied to provised resources | `map(any)` | `null` | no |
 | <a name="input_xaccount_account_id"></a> [xaccount\_account\_id](#input\_xaccount\_account\_id) | Account ID of the cross account. Required if xaccount resources are to be created. | `string` | `null` | no |
diff --git a/modules/terraform-aws-cred-permissions/examples/ex01-minimal-inputs/main.tf b/modules/terraform-aws-cred-permissions/examples/ex01-minimal-inputs/main.tf
index 579baa0..1f7360a 100644
--- a/modules/terraform-aws-cred-permissions/examples/ex01-minimal-inputs/main.tf
+++ b/modules/terraform-aws-cred-permissions/examples/ex01-minimal-inputs/main.tf
@@ -44,6 +44,8 @@ module "ex01_minimal_inputs" {
 
   xaccount_role_name = "${var.env_prefix}-xaccount-role"
 
+  # Assume role trust relationship required for CML backup and restore
+  create_cml_assume_role_policy = true
 }
 
 # Use the CDP Terraform Provider to find the xaccount account and external ids
diff --git a/modules/terraform-aws-cred-permissions/main.tf b/modules/terraform-aws-cred-permissions/main.tf
index 9135751..f90b7f4 100644
--- a/modules/terraform-aws-cred-permissions/main.tf
+++ b/modules/terraform-aws-cred-permissions/main.tf
@@ -37,16 +37,42 @@ data "aws_iam_policy_document" "cdp_xaccount_role_policy_doc" {
     }
   }
 }
+# Optional assume role policy document for the CML Backup and Restore
+data "aws_iam_policy_document" "cml_backup_assume_policy_doc" {
+
+  count = (local.create_xaccount_resources && var.create_cml_assume_role_policy) ? 1 : 0
+
+  version = "2012-10-17"
+
+  statement {
+    actions = ["sts:AssumeRole"]
+    effect  = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["backup.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "cdp_xaccount_assume_role_policy" {
+  count = local.create_xaccount_resources ? 1 : 0
+
+  source_policy_documents = [
+    data.aws_iam_policy_document.cdp_xaccount_role_policy_doc[0].json,
+    try(data.aws_iam_policy_document.cml_backup_assume_policy_doc[0].json, "")
+  ]
+}
 
 # Create the IAM role that uses the above assume_role_policy document
 resource "aws_iam_role" "cdp_xaccount_role" {
 
   count = local.create_xaccount_resources ? 1 : 0
 
-  name = var.xaccount_role_name
-  #   description = "CDP Cross Account role for ${var.env_prefix}"
+  name        = var.xaccount_role_name
+  description = "CDP Cross Account role"
 
-  assume_role_policy = data.aws_iam_policy_document.cdp_xaccount_role_policy_doc[0].json
+  assume_role_policy = data.aws_iam_policy_document.cdp_xaccount_assume_role_policy[0].json
 
   tags = merge(var.tags, { Name = var.xaccount_role_name })
 }
diff --git a/modules/terraform-aws-cred-permissions/variables.tf b/modules/terraform-aws-cred-permissions/variables.tf
index e1bde9f..d733b4d 100644
--- a/modules/terraform-aws-cred-permissions/variables.tf
+++ b/modules/terraform-aws-cred-permissions/variables.tf
@@ -78,3 +78,13 @@ variable "existing_xaccount_role_name" {
 
   default = null
 }
+
+# ------- Assume role policy for CML Backup and Restore -------
+variable "create_cml_assume_role_policy" {
+  type = bool
+
+  description = "Add AWS Backup Service, required for CML Backup and Restore, to Cross Account Trust Relationship."
+
+  default = false
+}
+
diff --git a/modules/terraform-cdp-aws-pre-reqs/README.md b/modules/terraform-cdp-aws-pre-reqs/README.md
index 09bb789..b47bf9e 100644
--- a/modules/terraform-cdp-aws-pre-reqs/README.md
+++ b/modules/terraform-cdp-aws-pre-reqs/README.md
@@ -21,16 +21,15 @@ In each directory an example `terraform.tfvars.sample` values file is included t
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.30 |
-| <a name="requirement_http"></a> [http](#requirement\_http) | 3.2.1 |
-| <a name="requirement_random"></a> [random](#requirement\_random) | 3.4.3 |
-| <a name="requirement_time"></a> [time](#requirement\_time) | 0.9.1 |
+| <a name="requirement_http"></a> [http](#requirement\_http) | ~> 3.2.1 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.4.3 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.30 |
-| <a name="provider_random"></a> [random](#provider\_random) | 3.4.3 |
+| <a name="provider_random"></a> [random](#provider\_random) | ~> 3.4.3 |
 
 ## Modules
 
@@ -66,7 +65,7 @@ In each directory an example `terraform.tfvars.sample` values file is included t
 | [aws_security_group_rule.cdp_knox_sg_ingress_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_vpc_endpoint.gateway_endpoints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
 | [aws_vpc_endpoint.interface_endpoints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
-| [random_id.bucket_suffix](https://registry.terraform.io/providers/hashicorp/random/3.4.3/docs/resources/id) | resource |
+| [random_id.bucket_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
 | [aws_vpc_endpoint_service.gateway_endpoints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
 | [aws_vpc_endpoint_service.interface_endpoints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
 
@@ -135,6 +134,7 @@ In each directory an example `terraform.tfvars.sample` values file is included t
 | <a name="input_vpc_public_inbound_acl_rules"></a> [vpc\_public\_inbound\_acl\_rules](#input\_vpc\_public\_inbound\_acl\_rules) | Inbound network ACLs for Public subnets. Exposes default value of VPC module variable to allow for overriding. Only used when create\_vpc is true. | `list(map(string))` | <pre>[<br>  {<br>    "cidr_block": "0.0.0.0/0",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "rule_action": "allow",<br>    "rule_number": 100,<br>    "to_port": 0<br>  }<br>]</pre> | no |
 | <a name="input_vpc_public_outbound_acl_rules"></a> [vpc\_public\_outbound\_acl\_rules](#input\_vpc\_public\_outbound\_acl\_rules) | Public subnets outbound network ACLs. Exposes default value of VPC module variable to allow for overriding. Only used when create\_vpc is true. | `list(map(string))` | <pre>[<br>  {<br>    "cidr_block": "0.0.0.0/0",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "rule_action": "allow",<br>    "rule_number": 100,<br>    "to_port": 0<br>  }<br>]</pre> | no |
 | <a name="input_vpc_public_subnets_map_public_ip_on_launch"></a> [vpc\_public\_subnets\_map\_public\_ip\_on\_launch](#input\_vpc\_public\_subnets\_map\_public\_ip\_on\_launch) | Auto-assign public IP on launch for instances created in Public Subnets.  Exposes default value of VPC module variable to allow for overriding. Only used when create\_vpc is true. | `bool` | `true` | no |
+| <a name="input_xaccount_cml_backup_assume_role"></a> [xaccount\_cml\_backup\_assume\_role](#input\_xaccount\_cml\_backup\_assume\_role) | Add AWS Backup Service, required for CML Backup and Restore, to Cross Account Trust Relationship. | `bool` | `false` | no |
 | <a name="input_xaccount_policy_name"></a> [xaccount\_policy\_name](#input\_xaccount\_policy\_name) | Cross Account Policy name | `string` | `null` | no |
 | <a name="input_xaccount_role_name"></a> [xaccount\_role\_name](#input\_xaccount\_role\_name) | Cross account Assume role Name | `string` | `null` | no |
 
diff --git a/modules/terraform-cdp-aws-pre-reqs/main.tf b/modules/terraform-cdp-aws-pre-reqs/main.tf
index 232afbb..4e841c0 100644
--- a/modules/terraform-cdp-aws-pre-reqs/main.tf
+++ b/modules/terraform-cdp-aws-pre-reqs/main.tf
@@ -343,8 +343,9 @@ module "aws_cdp_cred_permissions" {
   xaccount_account_id  = var.xaccount_account_id
   xaccount_external_id = var.xaccount_external_id
 
-  xaccount_policy_name        = local.xaccount_policy_name
-  xaccount_account_policy_doc = var.xaccount_account_policy_doc
+  xaccount_policy_name          = local.xaccount_policy_name
+  xaccount_account_policy_doc   = var.xaccount_account_policy_doc
+  create_cml_assume_role_policy = var.xaccount_cml_backup_assume_role
 
   existing_xaccount_role_name = var.existing_xaccount_role_name
 
diff --git a/modules/terraform-cdp-aws-pre-reqs/variables.tf b/modules/terraform-cdp-aws-pre-reqs/variables.tf
index d614225..cc92561 100644
--- a/modules/terraform-cdp-aws-pre-reqs/variables.tf
+++ b/modules/terraform-cdp-aws-pre-reqs/variables.tf
@@ -433,6 +433,15 @@ variable "xaccount_account_policy_doc" {
 
 }
 
+# Add extra assume role policy for CML Backup and Restore
+variable "xaccount_cml_backup_assume_role" {
+  type = bool
+
+  description = "Add AWS Backup Service, required for CML Backup and Restore, to Cross Account Trust Relationship."
+
+  default = false
+}
+
 # CDP IDBroker Assume Role policy
 variable "idbroker_policy_doc" {
   type        = string