diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index d4a85b6..dbfd75a 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -10,13 +10,15 @@ repos:
       - id: end-of-file-fixer
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.75.0
+    rev: v1.86.0
     hooks:
     - id: terraform_fmt
     - id: terraform_tflint
     - id: terraform_validate
       exclude: '^[^/]+$'
     - id: terraform_checkov
+      args:
+        - --args=--quiet --skip-check CKV2_GHA_1,CKV_TF_1
     - id: terraform_docs
       args:
         - '--args=--config=.terraform-docs.yml'
diff --git a/README.md b/README.md
index 5e0f62d..1f90b5c 100644
--- a/README.md
+++ b/README.md
@@ -50,6 +50,8 @@ Check out other [terraform modules](https://github.com/orgs/lablabs/repositories
 | [aws_backup_selection.tag](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_selection) | resource |
 | [aws_backup_vault.source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource |
 | [aws_backup_vault.target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource |
+| [aws_backup_vault_lock_configuration.source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_lock_configuration) | resource |
+| [aws_backup_vault_lock_configuration.target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_lock_configuration) | resource |
 | [aws_backup_vault_policy.source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_policy) | resource |
 | [aws_backup_vault_policy.target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_policy) | resource |
 | [aws_caller_identity.source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
@@ -73,6 +75,8 @@ Check out other [terraform modules](https://github.com/orgs/lablabs/repositories
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
 | <a name="input_stage"></a> [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br>Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
+| <a name="input_vault_lock_configuration"></a> [vault\_lock\_configuration](#input\_vault\_lock\_configuration) | Vault lock configuration. If `changeable_for_days` is null, governance mode is set, otherwise, immutable compliance mode. | <pre>object({<br>    changeable_for_days = optional(number, null) # If omitted, governance mode is set, otherwise, immutable compliance mode<br>    max_retention_days  = optional(number, null)<br>    min_retention_days  = optional(number, null)<br>  })</pre> | `{}` | no |
+| <a name="input_vault_lock_enabled"></a> [vault\_lock\_enabled](#input\_vault\_lock\_enabled) | Set to true to enable Vault Lock. Defaults to false. WARNING: If lock is enabled, backup plans and vaults may become immutable to all parties. | `bool` | `false` | no |
 
 ## Outputs
 
diff --git a/aws_backup.tf b/aws_backup.tf
index edb8761..02a2619 100644
--- a/aws_backup.tf
+++ b/aws_backup.tf
@@ -111,6 +111,14 @@ resource "aws_backup_selection" "tag" {
   }
 }
 
+resource "aws_backup_vault_lock_configuration" "source" {
+  count               = var.enabled && var.vault_lock_enabled ? 1 : 0
+  backup_vault_name   = module.source_label.id
+  changeable_for_days = var.vault_lock_configuration.changeable_for_days
+  max_retention_days  = var.vault_lock_configuration.max_retention_days
+  min_retention_days  = var.vault_lock_configuration.min_retention_days
+}
+
 # Target vault
 resource "aws_backup_vault" "target" {
   count         = var.enabled && var.is_cross_account_backup_enabled ? 1 : 0
@@ -127,3 +135,11 @@ resource "aws_backup_vault_policy" "target" {
   backup_vault_name = aws_backup_vault.target[0].name
   policy            = data.aws_iam_policy_document.target_vault[0].json
 }
+
+resource "aws_backup_vault_lock_configuration" "target" {
+  count               = var.enabled && var.is_cross_account_backup_enabled && var.vault_lock_enabled ? 1 : 0
+  backup_vault_name   = module.target_label.id
+  changeable_for_days = var.vault_lock_configuration.changeable_for_days
+  max_retention_days  = var.vault_lock_configuration.max_retention_days
+  min_retention_days  = var.vault_lock_configuration.min_retention_days
+}
diff --git a/iam.tf b/iam.tf
index 577841d..d95c48e 100644
--- a/iam.tf
+++ b/iam.tf
@@ -72,6 +72,7 @@ data "aws_iam_policy_document" "source_vault" {
     actions = ["backup:CopyIntoBackupVault"]
 
     #checkov:skip=CKV_AWS_109
+    #checkov:skip=CKV_AWS_111
     resources = ["*"]
 
     principals {
@@ -94,6 +95,7 @@ data "aws_iam_policy_document" "target_vault" {
     actions = ["backup:CopyIntoBackupVault"]
 
     #checkov:skip=CKV_AWS_109
+    #checkov:skip=CKV_AWS_111
     resources = ["*"]
 
     principals {
diff --git a/kms.tf b/kms.tf
index dae37f1..4dc22f3 100644
--- a/kms.tf
+++ b/kms.tf
@@ -48,6 +48,7 @@ data "aws_iam_policy_document" "kms_source_policy" {
     actions = ["kms:*"]
 
     #checkov:skip=CKV_AWS_109
+    #checkov:skip=CKV_AWS_356
     resources = ["*"]
 
     principals {
@@ -71,6 +72,7 @@ data "aws_iam_policy_document" "kms_source_policy" {
     ]
 
     #checkov:skip=CKV_AWS_109
+    #checkov:skip=CKV_AWS_356
     resources = ["*"]
 
     principals {
@@ -92,6 +94,7 @@ data "aws_iam_policy_document" "kms_target_policy" {
     actions = ["kms:*"]
 
     #checkov:skip=CKV_AWS_109
+    #checkov:skip=CKV_AWS_356
     resources = ["*"]
 
     principals {
@@ -115,6 +118,7 @@ data "aws_iam_policy_document" "kms_target_policy" {
     ]
 
     #checkov:skip=CKV_AWS_109
+    #checkov:skip=CKV_AWS_356
     resources = ["*"]
 
     principals {
diff --git a/variables.tf b/variables.tf
index 25fbb56..343f5ea 100644
--- a/variables.tf
+++ b/variables.tf
@@ -43,3 +43,19 @@ variable "backup_plans" {
     }), null)
   }))
 }
+
+variable "vault_lock_enabled" {
+  type        = bool
+  description = "Set to `true` to enable Vault Lock. Defaults to `false`. WARNING: If lock is enabled, backup plans and vaults may become immutable to all parties."
+  default     = false
+}
+
+variable "vault_lock_configuration" {
+  type = object({
+    changeable_for_days = optional(number, null) # If omitted, governance mode is set, otherwise, immutable compliance mode
+    max_retention_days  = optional(number, null)
+    min_retention_days  = optional(number, null)
+  })
+  description = "Vault lock configuration. If `changeable_for_days` is null, governance mode is set, otherwise, immutable compliance mode."
+  default     = {}
+}