diff --git a/iam/clouds/aws/CloudGovernanceInfra/README.md b/iam/clouds/aws/CloudGovernanceInfra/README.md
new file mode 100644
index 000000000..0c251cf89
--- /dev/null
+++ b/iam/clouds/aws/CloudGovernanceInfra/README.md
@@ -0,0 +1,41 @@
+## Create CloudGovernance Infra in the cloud
+
+#### Requirements
+
+- IAM User: to access cloud resources.
+- IAM Policy: Least privilege principle
+- S3-Bucket: To store the logs of cloud-governance policy runs.
+
+### Pre-requisites
+
+- Install [Terraform](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli).
+- Configure IAM Access credentials. (Admin Privileges/ Required Permissions to create/delete an user/policy/bucket)
+
+Steps to create Cloud Governance Infra resources:
+
+- Download tar `CloudGovernanceInfra.tar` and untar the file.
+
+```shell
+curl -L https://github.com/redhat-performance/cloud-governance/raw/main/iam/clouds/aws/CloudGovernanceInfra.tar | tar -xzvf -
+```
+
+- Create CloudGovernance Infra: User, Policy and Bucket
+
+```shell
+terraform init
+terraform apply -var=IAM_USERNAME="cloud-governance-user" -var=IAM_POLICY_NAME="CloudGovernanceReadPolicy" -var =S3_BUCKET_NAME="${ACCOUNT_NAME}-cloud-governance"
+```
+
+- To provide ACCESS_KEY_ID and SECRET_KEY_ID run below commnd
+
+```shell
+  terraform output SECRET_KEY_ID
+  terraform output ACCESS_KEY_ID
+
+```
+
+- Destroy CloudGovernanceInfra
+
+```shell
+terraform destroy -var=IAM_USERNAME="cloud-governance-user" -var=IAM_POLICY_NAME="CloudGovernanceReadPolicy" -var =S3_BUCKET_NAME="${ACCOUNT_NAME}-cloud-governance"
+```
diff --git a/iam/clouds/aws/CloudGovernanceDeletePolicy.json b/iam/clouds/aws/CloudGovernanceInfra/terraform/CloudGovernanceDeletePolicy.json
similarity index 84%
rename from iam/clouds/aws/CloudGovernanceDeletePolicy.json
rename to iam/clouds/aws/CloudGovernanceInfra/terraform/CloudGovernanceDeletePolicy.json
index f2fa18701..98cc39a8d 100644
--- a/iam/clouds/aws/CloudGovernanceDeletePolicy.json
+++ b/iam/clouds/aws/CloudGovernanceInfra/terraform/CloudGovernanceDeletePolicy.json
@@ -6,7 +6,13 @@
       "Effect": "Allow",
       "Action": [
         "ce:GetCostAndUsage",
-        "ce:GetCostForecast"
+        "ce:GetCostForecast",
+        "tag:GetResources",
+        "tag:TagResources",
+        "support:DescribeTrustedAdvisorCheckResult",
+        "support:DescribeTrustedAdvisorChecks",
+        "resource-explorer-2:ListViews",
+        "resource-explorer-2:Search"
       ],
       "Resource": "*"
     },
@@ -39,52 +45,49 @@
       "Sid": "EC2ResourceLevel",
       "Effect": "Allow",
       "Action": [
-        "ec2:DeregisterImage",
-        "ec2:DeleteSubnet",
+        "autoscaling:DescribeAutoScalingGroups",
+        "autoscaling:DescribeLaunchConfigurations",
+        "ec2:AssociateDhcpOptions",
+        "ec2:DeleteDhcpOptions",
+        "ec2:DeleteInternetGateway",
+        "ec2:DeleteNatGateway",
+        "ec2:DeleteNetworkAcl",
+        "ec2:DeleteNetworkInterface",
+        "ec2:DeleteRouteTable",
+        "ec2:DeleteSecurityGroup",
         "ec2:DeleteSnapshot",
-        "ec2:DescribeAddresses",
-        "ec2:DescribeInstances",
+        "ec2:DeleteSubnet",
+        "ec2:DeleteVolume",
+        "ec2:DeleteVpc",
         "ec2:DeleteVpcEndpoints",
         "ec2:DeleteVpcPeeringConnection",
-        "autoscaling:DescribeLaunchConfigurations",
-        "ec2:DescribeRegions",
-        "ec2:CreateImage",
-        "ec2:CreateVpc",
+        "ec2:DeregisterImage",
+        "ec2:DescribeAddresses",
         "ec2:DescribeDhcpOptions",
-        "ec2:DescribeSnapshots",
-        "ec2:DeleteRouteTable",
+        "ec2:DescribeImages",
+        "ec2:DescribeInstanceTypes",
+        "ec2:DescribeInstances",
         "ec2:DescribeInternetGateways",
-        "ec2:DeleteVolume",
-        "ec2:DescribeNetworkInterfaces",
-        "autoscaling:DescribeAutoScalingGroups",
-        "ec2:DescribeVolumes",
-        "ec2:DeleteInternetGateway",
+        "ec2:DescribeNatGateways",
         "ec2:DescribeNetworkAcls",
+        "ec2:DescribeNetworkInterfaces",
+        "ec2:DescribeRegions",
+        "ec2:DescribeReservedInstances",
         "ec2:DescribeRouteTables",
-        "ec2:DeleteNetworkAcl",
-        "ec2:ReleaseAddress",
-        "ec2:AssociateDhcpOptions",
-        "ec2:TerminateInstances",
-        "ec2:DetachNetworkInterface",
+        "ec2:DescribeSecurityGroups",
+        "ec2:DescribeSnapshots",
+        "ec2:DescribeSubnets",
         "ec2:DescribeTags",
+        "ec2:DescribeVolumes",
+        "ec2:DescribeVpcEndpoints",
         "ec2:DescribeVpcPeeringConnections",
-        "ec2:ModifyNetworkInterfaceAttribute",
-        "ec2:DeleteNetworkInterface",
+        "ec2:DescribeVpcs",
         "ec2:DetachInternetGateway",
-        "ec2:DescribeNatGateways",
-        "ec2:StopInstances",
+        "ec2:DetachNetworkInterface",
         "ec2:DisassociateRouteTable",
-        "ec2:DescribeSecurityGroups",
-        "ec2:RevokeSecurityGroupIngress",
-        "ec2:DescribeImages",
-        "ec2:DescribeVpcs",
-        "ec2:DeleteSecurityGroup",
-        "ec2:DescribeInstanceTypes",
-        "ec2:DeleteDhcpOptions",
-        "ec2:DeleteNatGateway",
-        "ec2:DescribeVpcEndpoints",
-        "ec2:DeleteVpc",
-        "ec2:DescribeSubnets"
+        "ec2:ModifyNetworkInterfaceAttribute",
+        "ec2:ReleaseAddress",
+        "ec2:RevokeSecurityGroupIngress"
       ],
       "Resource": "*"
     },
@@ -95,7 +98,8 @@
         "elasticloadbalancing:DeleteLoadBalancer",
         "elasticloadbalancing:DescribeTags",
         "elasticloadbalancing:AddTags",
-        "elasticloadbalancing:DescribeLoadBalancers"
+        "elasticloadbalancing:DescribeLoadBalancers",
+        "elasticloadbalancing:RemoveTags"
       ],
       "Resource": "*"
     },
@@ -103,32 +107,28 @@
       "Sid": "IAM",
       "Effect": "Allow",
       "Action": [
-        "iam:GetRole",
-        "iam:DeleteAccessKey",
-        "iam:DeleteGroup",
-        "iam:TagRole",
+        "iam:DeleteInstanceProfile",
+        "iam:DeletePolicy",
+        "iam:DeleteRole",
+        "iam:DeleteRolePolicy",
         "iam:DeleteUserPolicy",
-        "iam:ListRoles",
-        "iam:DeleteUser",
-        "iam:ListUserPolicies",
-        "iam:CreateUser",
-        "iam:TagUser",
-        "sts:AssumeRole",
-        "iam:RemoveUserFromGroup",
-        "iam:GetUserPolicy",
-        "iam:ListAttachedRolePolicies",
-        "iam:ListUsers",
+        "iam:DetachRolePolicy",
+        "iam:GetRole",
         "iam:GetUser",
+        "iam:GetUserPolicy",
         "iam:ListAccessKeys",
-        "iam:ListRolePolicies",
         "iam:ListAccountAliases",
-        "iam:DeleteRole",
-        "iam:DetachRolePolicy",
-        "iam:DeletePolicy",
-        "iam:DeleteRolePolicy",
+        "iam:ListAttachedRolePolicies",
         "iam:ListInstanceProfilesForRole",
+        "iam:ListRolePolicies",
+        "iam:ListRoles",
+        "iam:ListUserPolicies",
+        "iam:ListUsers",
         "iam:RemoveRoleFromInstanceProfile",
-        "sts:GetCallerIdentity"
+        "iam:TagRole",
+        "iam:TagUser",
+        "iam:UntagRole",
+        "iam:UntagUser"
       ],
       "Resource": "*"
     },
@@ -142,17 +142,16 @@
       "Sid": "S3Bucket",
       "Effect": "Allow",
       "Action": [
-        "s3:PutObject",
+        "s3:DeleteBucket",
+        "s3:DeleteObject",
+        "s3:GetBucketLocation",
+        "s3:GetBucketTagging",
         "s3:GetObject",
         "s3:ListAllMyBuckets",
-        "s3:CreateBucket",
         "s3:ListBucket",
+        "s3:PutObject",
         "s3:PutObjectTagging",
-        "s3:DeleteObject",
-        "s3:DeleteBucket",
-        "s3:putBucketTagging",
-        "s3:GetBucketTagging",
-        "s3:GetBucketLocation"
+        "s3:putBucketTagging"
       ],
       "Resource": "*"
     },
@@ -173,6 +172,15 @@
         "cloudwatch:GetMetricData"
       ],
       "Resource": "*"
+    },
+    {
+      "Sid": "RDS",
+      "Effect": "Allow",
+      "Action": [
+        "rds:AddTagsToResource",
+        "rds:DescribeDBInstances"
+      ],
+      "Resource": "*"
     }
   ]
 }
diff --git a/iam/clouds/aws/CloudGovernanceInfra/terraform/CloudGovernanceInfra.tar b/iam/clouds/aws/CloudGovernanceInfra/terraform/CloudGovernanceInfra.tar
new file mode 100644
index 000000000..004c4ce6e
Binary files /dev/null and b/iam/clouds/aws/CloudGovernanceInfra/terraform/CloudGovernanceInfra.tar differ
diff --git a/iam/clouds/aws/CloudGovernanceReadPolicy.json b/iam/clouds/aws/CloudGovernanceInfra/terraform/CloudGovernanceReadPolicy.json
similarity index 79%
rename from iam/clouds/aws/CloudGovernanceReadPolicy.json
rename to iam/clouds/aws/CloudGovernanceInfra/terraform/CloudGovernanceReadPolicy.json
index a67c8b894..3b6e75c90 100644
--- a/iam/clouds/aws/CloudGovernanceReadPolicy.json
+++ b/iam/clouds/aws/CloudGovernanceInfra/terraform/CloudGovernanceReadPolicy.json
@@ -6,7 +6,13 @@
       "Effect": "Allow",
       "Action": [
         "ce:GetCostAndUsage",
-        "ce:GetCostForecast"
+        "ce:GetCostForecast",
+        "tag:GetResources",
+        "tag:TagResources",
+        "support:DescribeTrustedAdvisorCheckResult",
+        "support:DescribeTrustedAdvisorChecks",
+        "resource-explorer-2:ListViews",
+        "resource-explorer-2:Search"
       ],
       "Resource": "*"
     },
@@ -14,6 +20,7 @@
       "Sid": "EC2AccountLevel",
       "Effect": "Allow",
       "Action": [
+        "ec2:DeleteTags",
         "ec2:CreateTags"
       ],
       "Resource": [
@@ -38,29 +45,28 @@
       "Sid": "EC2ResourceLevel",
       "Effect": "Allow",
       "Action": [
-        "ec2:DescribeAddresses",
-        "ec2:DescribeInstances",
+        "autoscaling:DescribeAutoScalingGroups",
         "autoscaling:DescribeLaunchConfigurations",
-        "ec2:DescribeRegions",
+        "ec2:DescribeAddresses",
         "ec2:DescribeDhcpOptions",
-        "ec2:DescribeSnapshots",
+        "ec2:DescribeImages",
+        "ec2:DescribeInstanceTypes",
+        "ec2:DescribeInstances",
         "ec2:DescribeInternetGateways",
-        "ec2:DescribeNetworkInterfaces",
-        "autoscaling:DescribeAutoScalingGroups",
-        "ec2:DescribeVolumes",
+        "ec2:DescribeNatGateways",
         "ec2:DescribeNetworkAcls",
+        "ec2:DescribeNetworkInterfaces",
+        "ec2:DescribeRegions",
+        "ec2:DescribeReservedInstances",
         "ec2:DescribeRouteTables",
-        "ec2:ReleaseAddress",
-        "ec2:AssociateDhcpOptions",
-        "ec2:DescribeTags",
-        "ec2:DescribeVpcPeeringConnections",
-        "ec2:DescribeNatGateways",
         "ec2:DescribeSecurityGroups",
-        "ec2:DescribeImages",
-        "ec2:DescribeVpcs",
-        "ec2:DescribeInstanceTypes",
+        "ec2:DescribeSnapshots",
+        "ec2:DescribeSubnets",
+        "ec2:DescribeTags",
+        "ec2:DescribeVolumes",
         "ec2:DescribeVpcEndpoints",
-        "ec2:DescribeSubnets"
+        "ec2:DescribeVpcPeeringConnections",
+        "ec2:DescribeVpcs"
       ],
       "Resource": "*"
     },
@@ -70,7 +76,8 @@
       "Action": [
         "elasticloadbalancing:DescribeTags",
         "elasticloadbalancing:AddTags",
-        "elasticloadbalancing:DescribeLoadBalancers"
+        "elasticloadbalancing:DescribeLoadBalancers",
+        "elasticloadbalancing:RemoveTags"
       ],
       "Resource": "*"
     },
@@ -79,20 +86,20 @@
       "Effect": "Allow",
       "Action": [
         "iam:GetRole",
-        "iam:TagRole",
-        "iam:ListRoles",
-        "iam:ListUserPolicies",
-        "iam:CreateUser",
-        "iam:TagUser",
-        "iam:GetUserPolicy",
-        "iam:ListAttachedRolePolicies",
-        "iam:ListUsers",
         "iam:GetUser",
+        "iam:GetUserPolicy",
         "iam:ListAccessKeys",
-        "iam:ListRolePolicies",
         "iam:ListAccountAliases",
+        "iam:ListAttachedRolePolicies",
         "iam:ListInstanceProfilesForRole",
-        "sts:GetCallerIdentity"
+        "iam:ListRolePolicies",
+        "iam:ListRoles",
+        "iam:ListUserPolicies",
+        "iam:ListUsers",
+        "iam:TagRole",
+        "iam:TagUser",
+        "iam:UntagRole",
+        "iam:UntagUser"
       ],
       "Resource": "*"
     },
@@ -106,15 +113,14 @@
       "Sid": "S3Bucket",
       "Effect": "Allow",
       "Action": [
-        "s3:PutObject",
+        "s3:GetBucketLocation",
+        "s3:GetBucketTagging",
         "s3:GetObject",
         "s3:ListAllMyBuckets",
-        "s3:CreateBucket",
         "s3:ListBucket",
+        "s3:PutObject",
         "s3:PutObjectTagging",
-        "s3:putBucketTagging",
-        "s3:GetBucketTagging",
-        "s3:GetBucketLocation"
+        "s3:putBucketTagging"
       ],
       "Resource": "*"
     },
@@ -131,8 +137,17 @@
       "Sid": "CloudWatch",
       "Effect": "Allow",
       "Action": [
-        "cloudwatch:GetMetricData",
-        "cloudwatch:GetMetricStatistics"
+        "cloudwatch:GetMetricStatistics",
+        "cloudwatch:GetMetricData"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "RDS",
+      "Effect": "Allow",
+      "Action": [
+        "rds:AddTagsToResource",
+        "rds:DescribeDBInstances"
       ],
       "Resource": "*"
     }
diff --git a/iam/clouds/aws/CloudGovernanceInfra/terraform/main.tf b/iam/clouds/aws/CloudGovernanceInfra/terraform/main.tf
new file mode 100644
index 000000000..5cfb4a81b
--- /dev/null
+++ b/iam/clouds/aws/CloudGovernanceInfra/terraform/main.tf
@@ -0,0 +1,39 @@
+provider "aws" {
+  region = var.AWS_DEFAULT_REGION
+}
+
+data "aws_caller_identity" "current" {}
+
+resource "null_resource" "modify_file" {
+  provisioner "local-exec" {
+    command = <<EOT
+      sed -i "" -e "s/account_id/${data.aws_caller_identity.current.account_id}/g" "./${var.IAM_POLICY_NAME}.json"
+    EOT
+  }
+}
+
+resource "aws_iam_user" "cloud-governance-user" {
+  name = var.IAM_USERNAME
+}
+
+resource "aws_iam_policy" "cloud-governance-user-policy" {
+  name       = var.IAM_POLICY_NAME
+  depends_on = [null_resource.modify_file]
+  policy     = file("./${var.IAM_POLICY_NAME}.json")
+  path       = "/"
+}
+
+resource "aws_iam_user_policy_attachment" "user_policy_attach" {
+  user       = aws_iam_user.cloud-governance-user.name
+  policy_arn = aws_iam_policy.cloud-governance-user-policy.arn
+}
+
+resource "aws_s3_bucket" "cloud-governance-bucket" {
+  count  = var.S3_BUCKET_NAME != "" ? 1 : 0
+  bucket = var.S3_BUCKET_NAME
+}
+
+
+resource "aws_iam_access_key" "cloud-governance-access-key" {
+  user = aws_iam_user.cloud-governance-user.name
+}
diff --git a/iam/clouds/aws/CloudGovernanceInfra/terraform/output.tf b/iam/clouds/aws/CloudGovernanceInfra/terraform/output.tf
new file mode 100644
index 000000000..f135e3ffc
--- /dev/null
+++ b/iam/clouds/aws/CloudGovernanceInfra/terraform/output.tf
@@ -0,0 +1,8 @@
+output "ACCESS_KEY_ID" {
+  value = aws_iam_access_key.cloud-governance-access-key.id
+}
+
+output "SECRET_KEY_ID" {
+  value     = aws_iam_access_key.cloud-governance-access-key.secret
+  sensitive = true
+}
diff --git a/iam/clouds/aws/CloudGovernanceInfra/terraform/variable.tf b/iam/clouds/aws/CloudGovernanceInfra/terraform/variable.tf
new file mode 100644
index 000000000..03c8cd940
--- /dev/null
+++ b/iam/clouds/aws/CloudGovernanceInfra/terraform/variable.tf
@@ -0,0 +1,29 @@
+variable "IAM_USERNAME" {
+  type        = string
+  description = "IAM User to run the CloudGovernance"
+  validation {
+    condition     = var.IAM_USERNAME != ""
+    error_message = "Provide the IAM_USERNAME"
+  }
+}
+
+variable "IAM_POLICY_NAME" {
+  type        = string
+  description = "IAM Policy to se the permissions for CloudGovernance user"
+  default     = "CloudGovernanceReadPolicy"
+  validation {
+    condition     = var.IAM_POLICY_NAME == "CloudGovernanceReadPolicy" || var.IAM_POLICY_NAME == "CloudGovernanceDeletePolicy"
+    error_message = "Mismatched policy name, Supported Values: CloudGovernanceReadPolicy, CloudGovernanceDeletePolicy"
+  }
+}
+
+variable "S3_BUCKET_NAME" {
+  type        = string
+  description = "S3 BucketName to store logs"
+}
+
+variable "AWS_DEFAULT_REGION" {
+  type        = string
+  description = "AWS Region default to us-east-2"
+  default     = "us-east-2"
+}
diff --git a/jenkins/tenant/aws/README.md b/jenkins/tenant/aws/README.md
index afcae3a85..eb58efbbf 100644
--- a/jenkins/tenant/aws/README.md
+++ b/jenkins/tenant/aws/README.md
@@ -1,12 +1,14 @@
 # How to run cloud-governance on Tenant Accounts
 
 Steps
-1. Create AWS User and attach user by [CloudGovernanceDeletePolicy.json](../../../iam/clouds/aws/CloudGovernanceDeletePolicy.json). [ Note: Replace account_id with actual account id]
-2. Create S3 bucket
-3. Add kind secret-text to jenkins with below naming conventions
-   1. ${account_name}-aws-access-key-id
-   2. ${account_name}-aws-secret-key-id
-   3. ${account_name}-s3-bucket
-4. Create folder named that you want to run the cloud-governance policies and copy the file in templates.
-5. Add account_name to account variable in this [PolicyJenkinsfileDaily](../aws/template/PolicyJenkinsfileDaily) and [TaggingJenkinsfileHourly](../aws/template/TaggingJenkinsfileHourly).
-6. Create two Jenkins jobs by using this two Jenkinsfile
+
+1. Create IAM User with Read/Delete Permissions and create S3 bucket.
+    1. Follow the instructions [README.md](..%2F..%2F..%2Fiam%2Fclouds%2Faws%2FCloudGovernanceInfra%2FREADME.md).
+2. Add kind secret-text to jenkins with below naming conventions
+    1. ${account_name}-aws-access-key-id
+    2. ${account_name}-aws-secret-key-id
+    3. ${account_name}-s3-bucket
+3. Create folder named that you want to run the cloud-governance policies and copy the file in templates.
+4. Add account_name to account variable in this [PolicyJenkinsfileDaily](../aws/template/PolicyJenkinsfileDaily)
+   and [TaggingJenkinsfileHourly](../aws/template/TaggingJenkinsfileHourly).
+5. Create two Jenkins jobs by using this two Jenkinsfile