diff --git a/terraform/modules/rds-snapshot-to-s3/iam.tf b/terraform/modules/rds-snapshot-to-s3/iam.tf
index 520f193e2..4cf3f99a6 100644
--- a/terraform/modules/rds-snapshot-to-s3/iam.tf
+++ b/terraform/modules/rds-snapshot-to-s3/iam.tf
@@ -1,19 +1,41 @@
-data "aws_iam_policy_document" "ecs_execution_role" {
-  statement {
-    actions = [
-      "sts:AssumeRole",
-    ]
+resource "aws_lambda_permission" "allow_cloudwatch" {
+  for_each = { for instance in local.rds_instances : instance.id => instance }
+
+  action        = "lambda:InvokeFunction"
+  function_name = module.rds-to-s3-copier.lambda_function_arn
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.rds_event_rule[each.key].arn
+}
 
-    effect = "Allow"
+resource "aws_iam_role" "cloudwatch_events_role" {
+  name = "cloudwatch-events-invocation-role"
 
-    principals {
-      type        = "Service"
-      identifiers = ["ecs.amazonaws.com"]
-    }
-  }
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Action = "sts:AssumeRole",
+        Effect = "Allow",
+        Principal = {
+          Service = "events.amazonaws.com"
+        }
+      }
+    ]
+  })
 }
 
-resource "aws_iam_role" "ecs_execution_role" {
-  name               = "${var.identifier_prefix}-ecs-execution-role"
-  assume_role_policy = data.aws_iam_policy_document.ecs_execution_role.json
+resource "aws_iam_role_policy" "cloudwatch_events_policy" {
+  name = "cloudwatch-events-invocation-policy"
+  role = aws_iam_role.cloudwatch_events_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect   = "Allow",
+        Action   = "lambda:InvokeFunction",
+        Resource = module.rds-to-s3-copier.lambda_function_arn,
+      }
+    ]
+  })
 }