diff --git a/UserRole/README.md b/UserRole/README.md
new file mode 100644
index 0000000..4b17e2b
--- /dev/null
+++ b/UserRole/README.md
@@ -0,0 +1,53 @@
+<!-- This readme file is generated with terraform-docs -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| IamReadOnlyRole | ../modules/security_identity_compliance/iam-role-v2 | n/a |
+| iam-group | ../modules/security_identity_compliance/iam-group | n/a |
+| iam-group2 | ../modules/security_identity_compliance/iam-group | n/a |
+| iam-user1 | ../modules/security_identity_compliance/iam-user | n/a |
+| iam-user2 | ../modules/security_identity_compliance/iam-user | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_role_policy_attachment.IamReadOnlyRole](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_policy_document.user-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| DynamicAddressGroup | n/a | `any` | n/a | yes |
+| application | n/a | `any` | n/a | yes |
+| aws-region | n/a | `any` | n/a | yes |
+| costcenter | n/a | `any` | n/a | yes |
+| customer-name | n/a | `any` | n/a | yes |
+| environment | n/a | `any` | n/a | yes |
+| owner | n/a | `any` | n/a | yes |
+| project | n/a | `any` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| iam-user1-access-key | n/a |
+| iam-user1-arn | n/a |
+| iam-user1-secret-location | n/a |
+| iam-user2-arn | n/a |
+ 
+---
+## Authorship
+This module was developed by xpk.
diff --git a/iam.user/main.tf b/UserRole/main.tf
similarity index 52%
rename from iam.user/main.tf
rename to UserRole/main.tf
index a15eb76..497d833 100644
--- a/iam.user/main.tf
+++ b/UserRole/main.tf
@@ -1,5 +1,5 @@
 module "iam-group" {
-  source = "../../modules/security_identity_compliance/iam-group"
+  source = "../modules/security_identity_compliance/iam-group"
 
   iam-group-name        = "ViewOnlyUsers001"
   iam-group-policy      = ""
@@ -8,7 +8,7 @@ module "iam-group" {
 }
 
 module "iam-group2" {
-  source = "../../modules/security_identity_compliance/iam-group"
+  source = "../modules/security_identity_compliance/iam-group"
 
   iam-group-name        = "ViewOnlyAndS3Admin001"
   iam-group-policy      = data.aws_iam_policy_document.user-policy.json
@@ -17,7 +17,7 @@ module "iam-group2" {
 }
 
 module "iam-user1" {
-  source = "../../modules/security_identity_compliance/iam-user"
+  source = "../modules/security_identity_compliance/iam-user"
 
   iam-user-name       = "JohnNotInGroup"
   create-access-key   = true
@@ -26,7 +26,7 @@ module "iam-user1" {
 }
 
 module "iam-user2" {
-  source = "../../modules/security_identity_compliance/iam-user"
+  source = "../modules/security_identity_compliance/iam-user"
 
   iam-user-name        = "PeterInGroup"
   iam-user-policy      = data.aws_iam_policy_document.user-policy.json
@@ -37,6 +37,42 @@ module "iam-user2" {
   add-to-groups        = [module.iam-group.iam-group-name]
 }
 
+module "IamReadOnlyRole" {
+  source         = "../modules/security_identity_compliance/iam-role-v2"
+  trusted-entity = "ec2.amazonaws.com"
+  description    = "IAM role with read only access. Data decryption is denied"
+  path           = "/Management/"
+  policies = {
+    DenyDataAccess = {
+      description = "Block data access by denying kms decryption"
+      policy = jsonencode(
+        {
+          Version = "2012-10-17"
+          Statement = [
+            {
+              Sid      = "DenyKMSDecrypt"
+              Effect   = "Deny"
+              Action   = "kms:Decrypt"
+              Resource = "*"
+              Condition = {
+                StringNotLike = {
+                  "kms:EncryptionContext:aws:cloudtrail:arn" = "arn:aws:cloudtrail:*:*:trail/*"
+                  "kms:EncryptionContext:aws:logs:arn"       = "arn:aws:logs:*:*:log-group:*"
+                }
+              }
+            }
+          ]
+        }
+      )
+    }
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "IamReadOnlyRole" {
+  role       = module.IamReadOnlyRole.name
+  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+}
+
 data "aws_iam_policy_document" "user-policy" {
   statement {
     sid = "s3admin"
@@ -62,6 +98,6 @@ output "iam-user1-access-key" {
   value = module.iam-user1.iam-user-access-key
 }
 
-output iam-user1-secret-location {
+output "iam-user1-secret-location" {
   value = module.iam-user1.iam-user-secret-arn
 }
\ No newline at end of file
diff --git a/iam.user/variables.tf b/UserRole/variables.tf
similarity index 100%
rename from iam.user/variables.tf
rename to UserRole/variables.tf
diff --git a/iam.user/terraform.tfvars b/iam.user/terraform.tfvars
deleted file mode 100644
index 85bc939..0000000
--- a/iam.user/terraform.tfvars
+++ /dev/null
@@ -1,8 +0,0 @@
-aws-region          = "ap-southeast-1"
-customer-name       = "ken2026"
-environment         = "dev"
-project             = "iac"
-application         = "terraform"
-costcenter          = "none"
-DynamicAddressGroup = ""
-owner               = "Rackspace"