diff --git a/README.md b/README.md
index 98914af..97afcb8 100644
--- a/README.md
+++ b/README.md
@@ -112,7 +112,6 @@ No modules.
 | [aws_iam_role_policy_attachment.mwaa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_mwaa_environment.mwaa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mwaa_environment) | resource |
 | [aws_s3_bucket.mwaa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
-| [aws_s3_bucket_acl.mwaa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
 | [aws_s3_bucket_public_access_block.mwaa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.mwaa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_s3_bucket_versioning.mwaa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
@@ -139,7 +138,7 @@ No modules.
 | <a name="input_environment_class"></a> [environment\_class](#input\_environment\_class) | (Optional) Environment class for the cluster. Possible options are mw1.small, mw1.medium, mw1.large.<br>Will be set by default to mw1.small. Please check the AWS Pricing for more information about the environment classes. | `string` | `"mw1.small"` | no |
 | <a name="input_execution_role_arn"></a> [execution\_role\_arn](#input\_execution\_role\_arn) | (Required) The Amazon Resource Name (ARN) of the task execution role that the Amazon MWAA and its environment can assume<br>Mandatory if `create_iam_role=false` | `string` | `null` | no |
 | <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | IAM role Force detach policies | `bool` | `false` | no |
-| <a name="input_iam_role_additional_policies"></a> [iam\_role\_additional\_policies](#input\_iam\_role\_additional\_policies) | A map of additional policy ARNs to be added to the IAM role, with an arbitary key name | `map(string)` | `{}` | no |
+| <a name="input_iam_role_additional_policies"></a> [iam\_role\_additional\_policies](#input\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `map(string)` | `{}` | no |
 | <a name="input_iam_role_name"></a> [iam\_role\_name](#input\_iam\_role\_name) | IAM Role Name to be created if execution\_role\_arn is null | `string` | `null` | no |
 | <a name="input_iam_role_path"></a> [iam\_role\_path](#input\_iam\_role\_path) | IAM role path | `string` | `"/"` | no |
 | <a name="input_iam_role_permissions_boundary"></a> [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | IAM role Permission boundary | `string` | `null` | no |
diff --git a/data.tf b/data.tf
index ab7cdfd..1a8e7b9 100644
--- a/data.tf
+++ b/data.tf
@@ -112,24 +112,51 @@ data "aws_iam_policy_document" "mwaa" {
   # if MWAA is using a AWS managed KMS key, we have to give permission to the key in ?? account
   # We don't know what account AWS puts their key in so we use not_resources to grant access to all
   # accounts except for ours
-  statement {
-    effect = "Allow"
-    actions = [
-      "kms:Decrypt",
-      "kms:DescribeKey",
-      "kms:GenerateDataKey*",
-      "kms:Encrypt"
-    ]
-    not_resources = [
-      "arn:${data.aws_partition.current.id}:kms:*:${data.aws_caller_identity.current.account_id}:key/*"
-    ]
-    condition {
-      test     = "StringLike"
-      variable = "kms:ViaService"
+  dynamic "statement" {
+    for_each = var.kms_key != null ? [] : [1]
+    content {
+      effect = "Allow"
+      actions = [
+        "kms:Decrypt",
+        "kms:DescribeKey",
+        "kms:GenerateDataKey*",
+        "kms:Encrypt"
+      ]
+      not_resources = [
+        "arn:${data.aws_partition.current.id}:kms:*:${data.aws_caller_identity.current.account_id}:key/*"
+      ]
+      condition {
+        test     = "StringLike"
+        variable = "kms:ViaService"
+
+        values = [
+          "sqs.${data.aws_region.current.name}.amazonaws.com"
+        ]
+      }
+    }
+  }
 
-      values = [
-        "sqs.${data.aws_region.current.name}.amazonaws.com"
+  dynamic "statement" {
+    for_each = var.kms_key != null ? [1] : []
+    content {
+      effect = "Allow"
+      actions = [
+        "kms:Decrypt",
+        "kms:DescribeKey",
+        "kms:GenerateDataKey*",
+        "kms:Encrypt"
+      ]
+      resources = [
+        var.kms_key
       ]
+      condition {
+        test     = "StringLike"
+        variable = "kms:ViaService"
+
+        values = [
+          "sqs.${data.aws_region.current.name}.amazonaws.com"
+        ]
+      }
     }
   }
 
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
index 2038c8e..a0c8c66 100644
--- a/examples/basic/main.tf
+++ b/examples/basic/main.tf
@@ -25,7 +25,16 @@ resource "aws_s3_bucket" "this" {
   tags   = var.tags
 }
 
+resource "aws_s3_bucket_ownership_controls" "this" {
+  bucket = aws_s3_bucket.this.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
 resource "aws_s3_bucket_acl" "this" {
+  depends_on = [aws_s3_bucket_ownership_controls.this]
+
   bucket = aws_s3_bucket.this.id
   acl    = "private"
 }
diff --git a/main.tf b/main.tf
index 1d650b5..f989653 100644
--- a/main.tf
+++ b/main.tf
@@ -61,7 +61,8 @@ resource "aws_mwaa_environment" "mwaa" {
   lifecycle {
     ignore_changes = [
       plugins_s3_object_version,
-      requirements_s3_object_version
+      requirements_s3_object_version,
+      startup_script_s3_object_version
     ]
   }
 }