diff --git a/services/terraform/remote/aws_iam.tf b/services/terraform/remote/aws_iam.tf
--- a/services/terraform/remote/aws_iam.tf
+++ b/services/terraform/remote/aws_iam.tf
@@ -49,3 +49,56 @@
   ]
 }
 
+# Assume Role Policy Document for EC2 and ECS
+# This policy allows ECS and EC2 use roles that it is assigned to
+data "aws_iam_policy_document" "assume_role_ecs_ec2" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "sts:AssumeRole",
+    ]
+    principals {
+      type = "Service"
+      identifiers = [
+        "ec2.amazonaws.com",
+        "ecs-tasks.amazonaws.com"
+      ]
+    }
+  }
+}
+
+### App IAM resources
+
+# Feature Flags IAM
+data "aws_dynamodb_table" "feature_flags" {
+  name = "feature-flags"
+}
+data "aws_iam_policy_document" "read_feature_flags" {
+  statement {
+    sid    = "FeatureFlagsDDBReadAccess"
+    effect = "Allow"
+    actions = [
+      "dynamodb:BatchGetItem",
+      "dynamodb:GetItem",
+      "dynamodb:Query",
+      "dynamodb:Scan",
+    ]
+    resources = [
+      data.aws_dynamodb_table.feature_flags.arn,
+    ]
+  }
+}
+resource "aws_iam_policy" "read_feature_flags" {
+  name        = "feature-flags-ddb-read-access"
+  policy      = data.aws_iam_policy_document.read_feature_flags.json
+  description = "Allows full read access to feature-flags DynamoDB table"
+}
+resource "aws_iam_role" "feature_flags_service" {
+  name               = "feature-flags-service-role"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_ecs_ec2.json
+
+  managed_policy_arns = [
+    aws_iam_policy.read_feature_flags.arn
+  ]
+}
+