diff --git a/src/template.yml b/src/template.yml
index bbd852a90..083f0e4e0 100644
--- a/src/template.yml
+++ b/src/template.yml
@@ -923,15 +923,20 @@ Resources:
               - "organizations:DescribeOrganizationalUnit"
               - "organizations:ListParents"
               - "cloudformation:*"
-              - "iam:GetRole"
-              - "iam:PassRole"
-              - "iam:CreateRole"
-              - "iam:PutRolePolicy"
               - "organizations:DescribeOrganization"
               - "organizations:DescribeAccount"
               - "ssm:*"
               - "states:StartExecution"
             Resource: "*"
+          - Effect: "Allow"
+            Action:
+              - "iam:CreateRole"
+              - "iam:GetRole"
+              - "iam:PutRolePolicy"
+              - "iam:TagRole"
+            Resource:
+              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${CrossAccountAccessRoleName}"
+              - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${CrossAccountAccessRoleName}-readonly"
           - Effect: "Allow"
             Action: "s3:ListBucket"
             Resource: !GetAtt BootstrapTemplatesBucket.Arn