diff --git a/infrastructure/modules/api_gateway/cloudwatch.tf b/infrastructure/modules/api_gateway/cloudwatch.tf
index 272a1c465..cccb1664e 100644
--- a/infrastructure/modules/api_gateway/cloudwatch.tf
+++ b/infrastructure/modules/api_gateway/cloudwatch.tf
@@ -1,3 +1,13 @@
+resource "null_resource" "kms_policy_propagation_delay" {
+  depends_on = [
+    aws_kms_key.api_gateway
+  ]
+
+  provisioner "local-exec" {
+    command = "sleep 15" # 15 seconds delay
+  }
+}
+
 resource "aws_cloudwatch_log_group" "api_gateway" {
   name              = "/aws/apigateway/${var.workspace}-${var.api_gateway_name}"
   retention_in_days = 365
@@ -7,4 +17,9 @@ resource "aws_cloudwatch_log_group" "api_gateway" {
   lifecycle {
     prevent_destroy = false
   }
+
+  depends_on = [
+    null_resource.kms_policy_propagation_delay
+  ]
+
 }
diff --git a/infrastructure/modules/kinesis_firehose/outputs.tf b/infrastructure/modules/kinesis_firehose/outputs.tf
index d457b669a..1b288941a 100644
--- a/infrastructure/modules/kinesis_firehose/outputs.tf
+++ b/infrastructure/modules/kinesis_firehose/outputs.tf
@@ -5,3 +5,8 @@ output "firehose_stream_name" {
 output "kinesis_firehose_cmk_arn" {
   value = aws_kms_key.firehose_cmk.arn
 }
+
+output "kinesis_firehose_cmk" {
+  value = aws_kms_key.firehose_cmk
+}
+
diff --git a/infrastructure/stacks/api-layer/cloudwatch.tf b/infrastructure/stacks/api-layer/cloudwatch.tf
index babe1753f..1e962c488 100644
--- a/infrastructure/stacks/api-layer/cloudwatch.tf
+++ b/infrastructure/stacks/api-layer/cloudwatch.tf
@@ -10,6 +10,16 @@ resource "aws_cloudwatch_log_group" "lambda_logs" {
   }
 }
 
+resource "null_resource" "kms_policy_propagation_delay" {
+  depends_on = [
+    module.eligibility_audit_firehose_delivery_stream.kinesis_firehose_cmk,
+  ]
+
+  provisioner "local-exec" {
+    command = "sleep 15"  # 15 seconds delay
+  }
+}
+
 resource "aws_cloudwatch_log_group" "firehose_audit" {
   name              = "/aws/kinesisfirehose/${var.project_name}-${var.environment}-audit"
   retention_in_days = 365
@@ -21,7 +31,8 @@ resource "aws_cloudwatch_log_group" "firehose_audit" {
   }
 
   depends_on = [
-    module.eligibility_audit_firehose_delivery_stream.kinesis_firehose_cmk_arn
+    module.eligibility_audit_firehose_delivery_stream.kinesis_firehose_cmk,
+    null_resource.kms_policy_propagation_delay
   ]
 }
 
diff --git a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf
index 48cd73a73..b36f39e68 100644
--- a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf
+++ b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf
@@ -15,21 +15,21 @@ resource "aws_s3_bucket_policy" "truststore" {
 data "aws_iam_policy_document" "truststore_api_gateway" {
   # Deny non-SSL
   statement {
-    sid     = "AllowSslRequestsOnly"
+    sid    = "AllowSslRequestsOnly"
     actions = ["s3:*"]
-    effect  = "Deny"
+    effect = "Deny"
     resources = [
       module.s3_truststore_bucket.storage_bucket_arn,
       "${module.s3_truststore_bucket.storage_bucket_arn}/*"
     ]
     principals {
-      type        = "*"
+      type = "*"
       identifiers = ["*"]
     }
     condition {
       test     = "Bool"
       variable = "aws:SecureTransport"
-      values   = ["false"]
+      values = ["false"]
     }
   }
   statement {
@@ -37,7 +37,7 @@ data "aws_iam_policy_document" "truststore_api_gateway" {
     effect = "Allow"
 
     principals {
-      type        = "Service"
+      type = "Service"
       identifiers = ["apigateway.amazonaws.com"]
     }
 
@@ -59,6 +59,13 @@ resource "aws_s3_object" "pem_file" {
   # Explicitly set empty tags to override default_tags due to S3 object 10-tag limit
   tags = {}
 
+  override_provider {
+    default_tags {
+      tags = {}
+    }
+  }
+
+
   lifecycle {
     ignore_changes = [tags_all]
   }