diff --git a/README.md b/README.md
index 7cb6495b3..605e2d44d 100755
--- a/README.md
+++ b/README.md
@@ -147,6 +147,7 @@ Response:
   "accountStatus": "NotReady",
   "adminRoleArn": "arn:aws:iam::1234567890123:role/adminRole",
   "principalRoleArn":  "arn:aws:iam::1234567890123:role/RedboxPrincipal",
+  "principalPolicyHash": "",
   "createdOn": 1560306008,
   "lastModifiedOn": 1560306008,
   "metadata": {}
@@ -199,6 +200,10 @@ terraform output api_access_policy_name
 terraform output api_access_policy_arn
 ```
 
+#### IAM Policy for Redbox Accounts
+
+The Terraform module will come with a sane starting policy that is applied to the IAM principal.  This policy is applied when a new account is added or when a lease is unlocked.  It is possible to change the policy to what is needed by providing the Terraform variable `redbox_principal_policy`.  The value of this variable is a location of a policy file that can be a Go template.  It is uploaded into S3 and is read from there as the policy is applied.
+
 #### Signing requests in Go
 
 The AWS SDK for Go exposes a [`signer/v4` package](https://docs.aws.amazon.com/sdk-for-go/api/aws/signer/v4/), which may be used to sign API requests. For example:
@@ -276,6 +281,7 @@ Example:
   "accountStatus": "NotReady",
   "adminRoleArn": "arn:aws:iam::1234567890123:role/adminRole",
   "principalRoleArn": "arn:aws:iam::1234567890123:role/RedboxPrincipal",
+  "principalPolicyHash": "\"d41d8cd98f00b204e9800998ecf8427e-38\"",
   "createdOn": 1560306008,
   "lastModifiedOn": 1560306008,
   "metadata": {}
@@ -655,4 +661,4 @@ Some variables used in notification templates (conatined in modules/variables.tf
   - Lease.AccountID : The Account number of the AWS account in use
   - Lease.BudgetAmount : The configured budget amount for the lease
   - ActualSpend : The calculated spend on the account at time of notification
-  - ThresholdPercentile : The conigured threshold percentage for the notification, prior to exhaustion
\ No newline at end of file
+  - ThresholdPercentile : The conigured threshold percentage for the notification, prior to exhaustion
diff --git a/modules/swaggerRedbox.yaml b/modules/swaggerRedbox.yaml
index 64ecec547..9e8350c56 100755
--- a/modules/swaggerRedbox.yaml
+++ b/modules/swaggerRedbox.yaml
@@ -134,7 +134,7 @@ paths:
               budgetNotificationEmails:
                 type: array
                 items:
-                  type: string   
+                  type: string
       produces:
         - application/json
       responses:
@@ -262,6 +262,9 @@ definitions:
       principalRoleArn:
         type: string
         description: ARN for an IAM role within this AWS account. This role is created by the Redbox master account, and may be assumed by principals to login to their AWS Redbox account.
+      principalPolicyHash:
+        type: string
+        description: The S3 object ETag used to apply the Principal IAM Policy within this AWS account.  This policy is created by the Redbox master account, and is assumed by people with access to principalRoleArn.
       lastModifiedOn:
         type: integer
         description: Epoch timestamp, when account record was last modified
diff --git a/modules/update_redbox_policy_lambda.tf b/modules/update_redbox_policy_lambda.tf
index 34f155ca5..c9ae219ba 100644
--- a/modules/update_redbox_policy_lambda.tf
+++ b/modules/update_redbox_policy_lambda.tf
@@ -1,4 +1,4 @@
-module "update-redbox-principal-policy" {
+module "update_redbox_principal_policy" {
   source          = "./lambda"
   name            = "update_redbox_principal_policy-${var.namespace}"
   namespace       = var.namespace
@@ -25,22 +25,22 @@ module "update-redbox-principal-policy" {
   }
 }
 
-resource "aws_sns_topic_subscription" "update-redbox-principal-policy" {
+resource "aws_sns_topic_subscription" "update_redbox_principal_policy" {
   topic_arn = aws_sns_topic.lease_unlocked.arn
   protocol  = "lambda"
-  endpoint  = module.update-redbox-principal-policy.arn
+  endpoint  = module.update_redbox_principal_policy.arn
 }
 
-resource "aws_lambda_permission" "update-redbox-principal-policy" {
+resource "aws_lambda_permission" "update_redbox_principal_policy" {
   statement_id  = "AllowExecutionFromSNS"
   action        = "lambda:InvokeFunction"
-  function_name = module.update-redbox-principal-policy.name
+  function_name = module.update_redbox_principal_policy.name
   principal     = "sns.amazonaws.com"
   source_arn    = aws_sns_topic.lease_unlocked.arn
 }
 
-resource "aws_iam_role_policy" "update-redbox-principal-policy" {
-  role   = module.update-redbox-principal-policy.execution_role_name
+resource "aws_iam_role_policy" "update_redbox_principal_policy" {
+  role   = module.update_redbox_principal_policy.execution_role_name
   policy = <<POLICY
 {
   "Version": "2012-10-17",
diff --git a/pkg/rolemanager/policymanager.go b/pkg/rolemanager/policymanager.go
index 25cbe1809..33051e0ba 100644
--- a/pkg/rolemanager/policymanager.go
+++ b/pkg/rolemanager/policymanager.go
@@ -58,14 +58,23 @@ func (rm *IAMPolicyManager) MergePolicy(input *MergePolicyInput) error {
 	}
 
 	// Prune old versions of the policy.  Making sure we have room for one more policy version
-	rm.PrunePolicyVersions(input.PolicyArn.String())
+	err = rm.PrunePolicyVersions(input.PolicyArn.String())
+	if err != nil {
+		log.Printf("Found an issue pruning versions for policy '%s': %s", input.PolicyArn.String(), err)
+		return err
+	}
 
 	// Create a new Policy Version and set as default
-	rm.IAM.CreatePolicyVersion(&iam.CreatePolicyVersionInput{
+	_, err = rm.IAM.CreatePolicyVersion(&iam.CreatePolicyVersionInput{
 		PolicyArn:      aws.String(input.PolicyArn.String()),
 		PolicyDocument: aws.String(input.PolicyDocument),
 		SetAsDefault:   aws.Bool(true),
 	})
+	if err != nil {
+		log.Printf("Found an issue creating a new policy version for policy '%s': %s", input.PolicyArn.String(), err)
+		return err
+	}
+
 	return nil
 }