diff --git a/README.md b/README.md
index 9a4b244..98914af 100644
--- a/README.md
+++ b/README.md
@@ -29,12 +29,17 @@ module "mwaa" {
   environment_class    = "mw1.medium"
 
   vpc_id                = "<ENTER_VPC_ID>"
-  private_subnet_ids    = ["<ENTER_SIBNET_ID1>","<ENTER_SIBNET_ID2>"]
+  private_subnet_ids    = ["<ENTER_SUBNET_ID1>","<ENTER_SUBNET_ID2>"]
 
   min_workers           = 1
   max_workers           = 25
   webserver_access_mode = "PUBLIC_ONLY" # Default PRIVATE_ONLY for production environments
 
+  input_iam_role_additional_policies = {
+    "additional-policy-1" = "<ENTER_POLICY_ARN1>"
+    "additional-policy-2" = "<ENTER_POLICY_ARN2>"
+  }
+
   logging_configuration = {
     dag_processing_logs = {
       enabled   = true
@@ -134,7 +139,7 @@ No modules.
 | <a name="input_environment_class"></a> [environment\_class](#input\_environment\_class) | (Optional) Environment class for the cluster. Possible options are mw1.small, mw1.medium, mw1.large.<br>Will be set by default to mw1.small. Please check the AWS Pricing for more information about the environment classes. | `string` | `"mw1.small"` | no |
 | <a name="input_execution_role_arn"></a> [execution\_role\_arn](#input\_execution\_role\_arn) | (Required) The Amazon Resource Name (ARN) of the task execution role that the Amazon MWAA and its environment can assume<br>Mandatory if `create_iam_role=false` | `string` | `null` | no |
 | <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | IAM role Force detach policies | `bool` | `false` | no |
-| <a name="input_iam_role_additional_policies"></a> [iam\_role\_additional\_policies](#input\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `list(string)` | `[]` | no |
+| <a name="input_iam_role_additional_policies"></a> [iam\_role\_additional\_policies](#input\_iam\_role\_additional\_policies) | A map of additional policy ARNs to be added to the IAM role, with an arbitary key name | `map(string)` | `{}` | no |
 | <a name="input_iam_role_name"></a> [iam\_role\_name](#input\_iam\_role\_name) | IAM Role Name to be created if execution\_role\_arn is null | `string` | `null` | no |
 | <a name="input_iam_role_path"></a> [iam\_role\_path](#input\_iam\_role\_path) | IAM role path | `string` | `"/"` | no |
 | <a name="input_iam_role_permissions_boundary"></a> [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | IAM role Permission boundary | `string` | `null` | no |
diff --git a/locals.tf b/locals.tf
index e6cb7f8..b869920 100644
--- a/locals.tf
+++ b/locals.tf
@@ -11,5 +11,5 @@ locals {
 
   airflow_configuration_options = merge(local.default_airflow_configuration_options, var.airflow_configuration_options)
 
-  iam_role_additional_policies = { for k, v in toset(concat([var.iam_role_additional_policies])) : k => v if var.execution_role_arn != null }
+  iam_role_additional_policies = { for k, v in var.iam_role_additional_policies : k => v if var.create_iam_role }
 }
diff --git a/main.tf b/main.tf
index c0f3c49..1d650b5 100644
--- a/main.tf
+++ b/main.tf
@@ -93,7 +93,7 @@ resource "aws_iam_role_policy" "mwaa" {
 
 resource "aws_iam_role_policy_attachment" "mwaa" {
   for_each   = local.iam_role_additional_policies
-  policy_arn = each.key
+  policy_arn = each.value
   role       = aws_iam_role.mwaa[0].id
 }
 
diff --git a/variables.tf b/variables.tf
index 80ed7fc..2d3ac3f 100644
--- a/variables.tf
+++ b/variables.tf
@@ -171,8 +171,8 @@ variable "force_detach_policies" {
 
 variable "iam_role_additional_policies" {
   description = "Additional policies to be added to the IAM role"
-  type        = list(string)
-  default     = []
+  type        = map(string)
+  default     = {}
 }
 
 variable "iam_role_path" {