diff --git a/infrastructure/core.tf b/infrastructure/core.tf
new file mode 100644
index 000000000..67238ad26
--- /dev/null
+++ b/infrastructure/core.tf
@@ -0,0 +1,14 @@
+# A set of resources that do not belong to one workspace but are shared across the environment.
+
+module "ssm_param_mtls_common_names" {
+  count                = local.is_sandbox ? 0 : 1
+  source               = "./modules/ssm_parameter"
+  environment          = var.environment
+  owner                = var.owner
+  name                 = "mtls_common_names"
+  type                 = "SecureString"
+  description          = "A list of mtls common names that will be used to determine authorisation and resources."
+  value                = "REPLACE_ME"
+  key_id               = module.pdm_encryption_key.id
+  ignore_value_changes = true
+}
diff --git a/infrastructure/lambda-get-document-fhir.tf b/infrastructure/lambda-get-document-fhir.tf
index 7826123b5..67bab86e0 100644
--- a/infrastructure/lambda-get-document-fhir.tf
+++ b/infrastructure/lambda-get-document-fhir.tf
@@ -42,6 +42,7 @@ module "get-doc-fhir-lambda" {
     module.pdm_dynamodb_table.dynamodb_read_policy_document,
     module.core_dynamodb_table.dynamodb_read_policy_document,
     aws_iam_policy.ssm_access_policy.policy,
+    aws_iam_policy.mtls_access_ssm_policy.policy,
     module.ndr-lloyd-george-store.s3_read_policy_document,
     module.pdm-document-store.s3_read_policy_document,
   ]
diff --git a/infrastructure/lambda-post-document-fhir.tf b/infrastructure/lambda-post-document-fhir.tf
index 7048a2b07..a1bf5fed0 100644
--- a/infrastructure/lambda-post-document-fhir.tf
+++ b/infrastructure/lambda-post-document-fhir.tf
@@ -9,6 +9,7 @@ module "post-document-references-fhir-lambda" {
     module.core_dynamodb_table.dynamodb_write_policy_document,
     module.ndr-bulk-staging-store.s3_write_policy_document,
     module.ndr-app-config.app_config_policy,
+    aws_iam_policy.mtls_access_ssm_policy.policy,
     aws_iam_policy.ssm_access_policy.policy
   ]
   kms_deletion_window = var.kms_deletion_window
diff --git a/infrastructure/lambda-search-document-references-fhir.tf b/infrastructure/lambda-search-document-references-fhir.tf
index 0ddc37b13..c55a36ce6 100644
--- a/infrastructure/lambda-search-document-references-fhir.tf
+++ b/infrastructure/lambda-search-document-references-fhir.tf
@@ -13,7 +13,9 @@ module "search-document-references-fhir-lambda" {
     module.core_dynamodb_table.dynamodb_write_policy_document,
     module.ndr-lloyd-george-store.s3_read_policy_document,
     module.ndr-document-store.s3_read_policy_document,
-    module.ndr-app-config.app_config_policy
+    module.ndr-app-config.app_config_policy,
+    aws_iam_policy.mtls_access_ssm_policy.policy,
+    aws_iam_policy.ssm_access_policy.policy
   ]
   kms_deletion_window = var.kms_deletion_window
   rest_api_id         = aws_api_gateway_rest_api.ndr_doc_store_api.id
diff --git a/infrastructure/policies.tf b/infrastructure/policies.tf
index f52f381dc..034ca4a08 100644
--- a/infrastructure/policies.tf
+++ b/infrastructure/policies.tf
@@ -109,3 +109,21 @@ resource "aws_iam_policy" "transfer_family_kill_switch" {
     ]
   })
 }
+
+resource "aws_iam_policy" "mtls_access_ssm_policy" {
+  name = "${terraform.workspace}_mtls_ssm_parameters"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "kms:Decrypt",
+        ],
+        Resource = [
+          module.pdm_encryption_key.kms_arn
+        ]
+      }
+    ]
+  })
+}