diff --git a/main.tf b/main.tf
index 9b6262f..6bcfd1e 100755
--- a/main.tf
+++ b/main.tf
@@ -4,8 +4,9 @@ locals {
   auth_service_enabled       = local.enabled && var.auth_service_config.enabled
   urlrewrite_service_enabled = local.enabled && var.urlrewrite_service_config.enabled
 
-  aws_account_id  = try(coalesce(var.aws_account_id, data.aws_caller_identity.current[0].account_id), "") # tflint-ignore: terraform_unused_declarations
-  aws_region_name = try(coalesce(var.aws_region_name, data.aws_region.current[0].name), "")
+  aws_account_id  = one(data.aws_caller_identity.current.*.account_id)
+  aws_region_name = one(data.aws_region.current.*.region)
+  aws_partition   = one(data.aws_partition.current.*.partition)
 
   service_config = {
     rewrite_url = {
@@ -74,6 +75,10 @@ locals {
       result := []
     EOF
   )
+
+  iam_role_attachments = toset(module.this.enabled ? [
+    "arn:${local.aws_partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+  ] : [])
 }
 
 data "aws_caller_identity" "current" {
@@ -84,6 +89,10 @@ data "aws_region" "current" {
   count = module.this.enabled && var.aws_region_name == "" ? 1 : 0
 }
 
+data "aws_partition" "current" {
+  count = module.this.enabled ? 1 : 0
+}
+
 # ====================================================== middleware-services ===
 
 module "mw_service_label" {
@@ -134,10 +143,6 @@ resource "aws_iam_role" "this" {
     }]
   })
 
-  managed_policy_arns = [
-    "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
-  ]
-
   tags = module.mw_service_label.tags
 
   lifecycle {
@@ -145,6 +150,13 @@ resource "aws_iam_role" "this" {
   }
 }
 
+resource "aws_iam_role_policy_attachment" "this" {
+  for_each = local.iam_role_attachments
+
+  role       = aws_iam_role.this[0].name
+  policy_arn = each.key
+}
+
 # ============================================================ auth-services ===
 
 module "mw_auth_service_label" {