diff --git a/.config/.checkov.yml b/.config/.checkov.yml
index d6c174b..9fadaff 100644
--- a/.config/.checkov.yml
+++ b/.config/.checkov.yml
@@ -9,39 +9,91 @@ skip-check:
 - CKV_AZURE*
 - CKV2_AZURE*
 - CKV_TF_1 # default to Terraform registry instead of Git
-- CKV2_AWS_5 # Ensure that Security Groups are attached to another resource
-- CKV2_AWS_47 # Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability
-- CKV2_AWS_28 # Ensure public facing ALB are protected by WAF
-- CKV2_AWS_42 # Ensure AWS CloudFront distribution uses custom SSL certificate
+
+
+# - VPC -
+# Suppressed as the only VPC resources created are used only by required components of the module. Our belief is that most customers have security requirements that enforce use of existing organization defined networking and security resource. The module provides functionality to reference these existing resources if desired.
 - CKV2_AWS_11 # Ensure VPC flow logging is enabled in all VPCs
+# Suppressed as it is not relevant. The module creates an EIP and attached to a NAT Gateway, not an EC2 instance. EC2 is not used in this solution.
 - CKV2_AWS_19 # Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances
+# Suppressed as it is not relevant to this module. Security groups have been scoped down to minimum rules required for module functionality. Further, customers have the ability to reference their own existing networking and security resources.
 - CKV2_AWS_12 # Ensure the default security group of every VPC restricts all traffic
+# Suppressed due to an ongoing false-positive issue: https://github.com/bridgecrewio/checkov/issues/1203
+- CKV2_AWS_5 # Ensure that Security Groups are attached to another resource
+
+
+# - Application Load Balancer -
+# Suppressed as it is not relevant. This module does not currently support custom SSL certifications, which is a requirement to enable HTTPS for the ALB. Instead, the default CloudFront SSL certificate is used. If there is customer demand, this may be added in a future version of the module.
+- CKV_AWS_2 # Ensure ALB protocol is HTTPS
+# Suppressed as this will cause customers to incur additional cost. Will consider adding support for this in future module versions upon customer request.
+- CKV_AWS_91 # Ensure the ELBv2 (Application/Network) has access logging enabled
+# Suppressed as this will cause pipeline failures during functional tests if enabled by default. Customers can conditionally enable this via the 'enable_alb_deletion_protection' variable.
+- CKV_AWS_150 # Ensure that Load Balancer has deletion protection enabled
+# Suppressed as WAFv2 is not currently enabled in this version of the module. This would add additional customer cost, and can be added on top of the module solution leveraging the module outputs.
+- CKV2_AWS_28 # Ensure public facing ALB are protected by WAF
+# Suppressed as this handled by CloudFront. The ALB is configured to deny all access unless it comes from CloudFront, which is configured to redirect HTTP requests into HTTPS requests.
 - CKV2_AWS_20 # Ensure that ALB redirects HTTP requests into HTTPS ones
-- CKV2_AWS_32 # Ensure CloudFront distribution has a response headers policy attached
+# Suppressed as this is a false positive. The module is configured to use the 'ELBSecurityPolicy-TLS13-1-2-2021-06' AWS managed security policy which uses TLS 1.3 and is backwards compatible with TLS 1.2.
+- CKV_AWS_103 # Ensure that load balancer is using at least TLS 1.2
+
+
+# - ECS -
+# Suppressed as this will lead to additional customer cost. If there is customer demand, this may be added via a conditional variable in a future module release.
 - CKV_AWS_65 # Ensure container insights are enabled on ECS cluster
-- CKV_AWS_333 # Ensure ECS services do not have public IP addresses assigned to them automatically
-- CKV_AWS_158 # Ensure that CloudWatch Log Group is encrypted by KMS
+
+
+# - ECR -
+# Suppressed as this is a false positive. The module is configured to allow customers enable the ECR repository to use immutable tags is they so choose.
+- CKV_AWS_306 # Ensure ECR repository is immutable
 - CKV_AWS_51 # Ensure ECR Image Tags are immutable
-- CKV_AWS_103 # Ensure that load balancer is using at least TLS 1.2
+# Suppressed. This is optional and will cause additional cost. AES256 is the default encryption for Amazon ECR. Module provides the ability for customers to use KMS if they wish.
 - CKV_AWS_136 # Ensure that ECR repositories are encrypted using KMS
+# Suppressed as this is false positive. The module allows customers to enable ECR image scanning on push if they so choose.
 - CKV_AWS_163 # Ensure ECR image scanning on push is enabled
-- CKV_AWS_91 # Ensure the ELBv2 (Application/Network) has access logging enabled
-- CKV_AWS_150 # Ensure that Load Balancer has deletion protection enabled
-- CKV_AWS_2 # Ensure ALB protocol is HTTPS
-- CKV_AWS_310 # Ensure CloudFront distributions should have origin failover configured
+
+
+# - CloudFront -
+# Suppressed as WAFv2 is not currently enabled in this version of the module. This would add additional customer cost, and can be added on top of the module solution leveraging the module outputs.
 - CKV_AWS_68 # CloudFront Distribution should have WAF enabled
+- CKV2_AWS_47 # Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability
+# Suppressed as module does not currently support custom SSL certificates.
+- CKV2_AWS_42 # Ensure AWS CloudFront distribution uses custom SSL certificate
+# Suppressed as it is not supported by the current version of the module. May be added in future module versions upon customer request.
+- CKV2_AWS_32 # Ensure CloudFront distribution has a response headers policy attached
+- CKV_AWS_310 # Ensure CloudFront distributions should have origin failover configured
 - CKV_AWS_86 # Ensure CloudFront distribution has Access Logging enabled
 - CKV_AWS_174 # Verify CloudFront Distribution Viewer Certificate is using TLS v1.2
 - CKV_AWS_305 # Ensure CloudFront distribution has a default root object configured
-- CKV_AWS_219 # Ensure CodePipeline Artifact store is using a KMS CMK
-- CKV_AWS_314 # Ensure CodeBuild project environments have a logging configuration
+
+
+# - S3 -
+# Suppressed as this will lead to unnecessary additional cost for customers.
+- CKV_AWS_144 # Ensure that S3 bucket has cross-region replication enabled
+# Suppressed. Versioning is enabled for the Streamlit Artifacts S3 bucket, however this is not required for the CodePipeline Artifacts bucket as this is just a copy of the file that already exists in the bucket with versioning enabled.
+- CKV2_AWS_16 # Ensure S3 bucket has versioning enabled
+- CKV_AWS_21 # Ensure all data stored in the S3 bucket have versioning enabled
+# Suppressed as this is enabled on all new Amazon S3 Buckets by default.
+- CKV2_AWS_62 # Ensure S3 buckets are encrypted with AWS KMS by default
+- CKV2_AWS_63 # Ensure S3 bucket has server-side encryption enabled
+# Suppressed as this will incur additional cost. S3 Buckets are encrypted with SSE-S3 encryption by default. The ability to use CMK will potentially be added in future module versions upon customer request.
+- CKV_AWS_145 # Ensure that S3 buckets are encrypted with KMS by default
+# Suppressed as this is enabled on all new Amazon S3 Buckets by default.
 - CKV2_AWS_6 # Ensure that S3 bucket has a Public Access block
+# Suppressed as this could cause unintentional customer data loss. Will consider adding support for this in future module versions upon customer request.
 - CKV2_AWS_61 # Ensure that an S3 bucket has a lifecycle configuration
+# Suppressed as this could lead to increase cost. Versioning is enabled for the Streamlit Artifacts S3 bucket, however this is not required for the CodePipeline Artifacts bucket as this is just a copy of the file that already exists in the bucket with versioning enabled.
 - CKV2_AWS_62 # Ensure S3 buckets should have event notifications enabled
+# Suppressed as this is enabled for the Streamlit Assets S3 Bucket and is not required for the CodePipeline Artifacts bucket.
 - CKV_AWS_18 # Ensure the S3 bucket has access logging enabled
-- CKV_AWS_145 # Ensure that S3 buckets are encrypted with KMS by default
-- CKV_AWS_144 # Ensure that S3 bucket has cross-region replication enabled
-- CKV_AWS_21 # Ensure all data stored in the S3 bucket have versioning enabled
+# Suppressed as it is not supported by the current version of the module. May be added in future module versions upon customer request.
+- CKV2_AWS_17 # Ensure S3 bucket access is restricted to specific IP addresses or CIDR blocks
+- CKV2_AWS_64 # Ensure S3 bucket has object lock enabled
+
+
+# - CodePipeline/CodeBuild -
+# Suppressed as this is not relevant. The CodePipeline Artifacts S3 Bucket has encryption enabled using SSE-S3 encryption. This is default for all new S3 Buckets. If the ability to reference an existing KMS CMK is desired by customers, this will be addressed in a future version of the module.
+- CKV_AWS_219 # Ensure CodePipeline Artifact store is using a KMS CMK
+- CKV_AWS_314 # Ensure CodeBuild project environments have a logging configuration
 
 
 summary-position: bottom
diff --git a/.config/functional_tests/pre-entrypoint-helpers.sh b/.config/functional_tests/pre-entrypoint-helpers.sh
index 944bb22..fe43261 100644
--- a/.config/functional_tests/pre-entrypoint-helpers.sh
+++ b/.config/functional_tests/pre-entrypoint-helpers.sh
@@ -12,3 +12,7 @@ cd ${PROJECT_PATH}
 
 #********** AWS Region Export *************
 export AWS_DEFAULT_REGION=us-east-1
+
+#********** ABP Local Storage *************
+mkdir -p ~/dev/aws-ia/.aws
+mkdir -p ~/dev/aws-ia/artifacts
diff --git a/README.md b/README.md
index 9c387d1..77d415b 100644
--- a/README.md
+++ b/README.md
@@ -89,6 +89,7 @@ No modules.
 | [aws_cloudwatch_log_group.streamlit_ecs_service_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_codebuild_project.streamlit_codebuild_project](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource |
 | [aws_codepipeline.streamlit_codepipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codepipeline) | resource |
+| [aws_ecr_lifecycle_policy.streamlit_ecr_repo](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource |
 | [aws_ecr_repository.streamlit_ecr_repo](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource |
 | [aws_ecs_cluster.streamlit_ecs_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster) | resource |
 | [aws_ecs_cluster_capacity_providers.streamlit_ecs_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster_capacity_providers) | resource |
@@ -109,6 +110,8 @@ No modules.
 | [aws_internet_gateway.streamlit_igw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource |
 | [aws_lb.streamlit_alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource |
 | [aws_lb_listener.http](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |
+| [aws_lb_listener.https](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |
+| [aws_lb_listener_certificate.https](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_certificate) | resource |
 | [aws_lb_listener_rule.deny_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule) | resource |
 | [aws_lb_listener_rule.redirect_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule) | resource |
 | [aws_lb_target_group.streamlit_tg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |
@@ -162,6 +165,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_alb_listener_ssl_policy_https"></a> [alb\_listener\_ssl\_policy\_https](#input\_alb\_listener\_ssl\_policy\_https) | The SSL policy for the ALB HTTPS listener. The default uses the AWS security policy that enables TLS 1.3 with backwards compatibility with TLS 1.2. | `string` | `"ELBSecurityPolicy-TLS13-1-2-2021-06"` | no |
 | <a name="input_app_name"></a> [app\_name](#input\_app\_name) | The name of your application. This value is appended at the beginning of resource names. | `string` | `"streamlit"` | no |
 | <a name="input_app_version"></a> [app\_version](#input\_app\_version) | The version of the application. This is set to be used as the tag for the Docker image. Defaults to latest. Update this variable when making changes to your application to ensure you don't overwrite your previous image. Overwriting your previous image will prevent you from being able to roll back if you need. | `string` | `"v0.0.1"` | no |
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | The AWS region where the resources will be deployed. Default functionality is to use the region of your current AWS credentials. | `string` | `null` | no |
@@ -173,6 +177,7 @@ No modules.
 | <a name="input_create_ecs_default_policy"></a> [create\_ecs\_default\_policy](#input\_create\_ecs\_default\_policy) | Whether to create a default ECS policy for the cluster. | `bool` | `true` | no |
 | <a name="input_create_ecs_default_role"></a> [create\_ecs\_default\_role](#input\_create\_ecs\_default\_role) | Whether to create a default ECS role for the cluster. | `bool` | `true` | no |
 | <a name="input_create_ecs_security_group"></a> [create\_ecs\_security\_group](#input\_create\_ecs\_security\_group) | Whether to create default ECS security group. If this is set to false, you'll need to provide your own list of security group IDs to the `existing_ecs_security_groups` variable. | `bool` | `true` | no |
+| <a name="input_create_streamlit_ecr_repo_lifecycle_policy"></a> [create\_streamlit\_ecr\_repo\_lifecycle\_policy](#input\_create\_streamlit\_ecr\_repo\_lifecycle\_policy) | Conditional creation of ECR Lifecycle policy for the Streamlit ECR repo. Default is to not create any policy. | `bool` | `false` | no |
 | <a name="input_create_vpc_resources"></a> [create\_vpc\_resources](#input\_create\_vpc\_resources) | Whether to create VPC resources. If this is set to `false`, you must provide the relevant ids for your existing resources (e.g VPC, Subnets, Security Groups, etc.) | `bool` | `true` | no |
 | <a name="input_custom_header_name"></a> [custom\_header\_name](#input\_custom\_header\_name) | Name of the CloudFront custom header. Prevents ALB from accepting requests from other clients than CloudFront. Any random string is fine. | `string` | `"X-Verify-Origin"` | no |
 | <a name="input_custom_header_value"></a> [custom\_header\_value](#input\_custom\_header\_value) | Value of the CloudFront custom header. Prevents ALB from accepting requests from other clients than CloudFront. Any random string is fine. | `string` | `"streamlit-CloudFront-Distribution"` | no |
@@ -180,10 +185,15 @@ No modules.
 | <a name="input_ecs_cpu_architecture"></a> [ecs\_cpu\_architecture](#input\_ecs\_cpu\_architecture) | ECS CPU architecture (x86\_64 or arm64). Acceptable values are 'X86\_64' or 'ARM64' (case-sensistive). | `string` | `"ARM64"` | no |
 | <a name="input_ecs_operating_system_family"></a> [ecs\_operating\_system\_family](#input\_ecs\_operating\_system\_family) | Operating system family (windows or linux) for the ECS task (x86\_64 or arm64). Default is linux. Valid values are listed here: https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RuntimePlatform.html | `string` | `"LINUX"` | no |
 | <a name="input_ecs_task_desired_image_tag"></a> [ecs\_task\_desired\_image\_tag](#input\_ecs\_task\_desired\_image\_tag) | The desired tag of the image in ECR you wish to use for your ECS Task. If using multiple tags, you can use this to speficy a specific tag (e.g. `v0.0.1`) to use. Default value is to use the version id image tag. | `string` | `null` | no |
+| <a name="input_enable_alb_deletion_protection"></a> [enable\_alb\_deletion\_protection](#input\_enable\_alb\_deletion\_protection) | Whether to enable deletion protection for the Streamlit App Application Load Balancer. | `bool` | `false` | no |
+| <a name="input_enable_alb_http_listener"></a> [enable\_alb\_http\_listener](#input\_enable\_alb\_http\_listener) | Whether to create the ALB HTTP listener. | `bool` | `true` | no |
+| <a name="input_enable_alb_https_listener"></a> [enable\_alb\_https\_listener](#input\_enable\_alb\_https\_listener) | Whether to create the ALB HTTPS listener. | `bool` | `false` | no |
 | <a name="input_enable_auto_cloudfront_invalidation"></a> [enable\_auto\_cloudfront\_invalidation](#input\_enable\_auto\_cloudfront\_invalidation) | This variable conditionally enables CloudFront invalidations to automatically occur when there are updates to your Streamlit App. | `bool` | `true` | no |
 | <a name="input_enable_force_detach_policies"></a> [enable\_force\_detach\_policies](#input\_enable\_force\_detach\_policies) | Enable force detaching any policies from IAM roles. | `bool` | `true` | no |
+| <a name="input_enable_streamlit_ecr_repo_scan_on_push"></a> [enable\_streamlit\_ecr\_repo\_scan\_on\_push](#input\_enable\_streamlit\_ecr\_repo\_scan\_on\_push) | Whether to enable image scanning on push for ECR repo. This uses the Amazon Inspector service, which will incur additional cost. | `bool` | `false` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The application environment where the resources will be deployed. e.g. 'dev', 'prod', etc. | `string` | `"dev"` | no |
 | <a name="input_eventbridge_rules_enable_force_destroy"></a> [eventbridge\_rules\_enable\_force\_destroy](#input\_eventbridge\_rules\_enable\_force\_destroy) | Enable force destroy on all EventBridge rules. This allows the destruction of all events in the rule. | `bool` | `true` | no |
+| <a name="input_existing_alb_https_listener_cert"></a> [existing\_alb\_https\_listener\_cert](#input\_existing\_alb\_https\_listener\_cert) | The ARN of an existing ACM certificate to use for the ALB HTTPS listener. | `string` | `null` | no |
 | <a name="input_existing_alb_security_groups"></a> [existing\_alb\_security\_groups](#input\_existing\_alb\_security\_groups) | A list of existing security group IDs to attach to the Streamlit ECS service load balancer. | `list(string)` | `null` | no |
 | <a name="input_existing_alb_subnets"></a> [existing\_alb\_subnets](#input\_existing\_alb\_subnets) | A list of existing subnets to launch the ALB in. Public subnets are recommended. | `list(string)` | `null` | no |
 | <a name="input_existing_ecs_role"></a> [existing\_ecs\_role](#input\_existing\_ecs\_role) | The ARN of an existing ECS role to assign to the cluster. | `string` | `null` | no |
@@ -192,6 +202,11 @@ No modules.
 | <a name="input_path_to_app_dir"></a> [path\_to\_app\_dir](#input\_path\_to\_app\_dir) | The path to the directory that contains all assets for your Streamlit project. Any changes made to this directory will trigger the Docker image to be rebuilt and pushed to ECR during subsequent applies. | `string` | `null` | no |
 | <a name="input_path_to_build_spec"></a> [path\_to\_build\_spec](#input\_path\_to\_build\_spec) | The path to the build spec file for CodeBuild. This file should be a YAML file that defines the build process. | `string` | `null` | no |
 | <a name="input_streamlit_ecr_repo_enable_force_delete"></a> [streamlit\_ecr\_repo\_enable\_force\_delete](#input\_streamlit\_ecr\_repo\_enable\_force\_delete) | Enable force delete on the ECR repo. This allows the destruction of all images in the repository. | `bool` | `true` | no |
+| <a name="input_streamlit_ecr_repo_encryption_type"></a> [streamlit\_ecr\_repo\_encryption\_type](#input\_streamlit\_ecr\_repo\_encryption\_type) | The type of encryption for the ECR repo. Valid values are 'AES256' or 'KMS'. | `string` | `"AES256"` | no |
+| <a name="input_streamlit_ecr_repo_image_tag_mutability"></a> [streamlit\_ecr\_repo\_image\_tag\_mutability](#input\_streamlit\_ecr\_repo\_image\_tag\_mutability) | Whether to enforce images tags to be immutable or not. Valid values are 'MUTABLE' or IMMUTABLE'. | `string` | `"MUTABLE"` | no |
+| <a name="input_streamlit_ecr_repo_kms_key"></a> [streamlit\_ecr\_repo\_kms\_key](#input\_streamlit\_ecr\_repo\_kms\_key) | The KMS key ID used to encrypt the ECR repo. This is required if encryption\_type is 'KMS'. If not specified, the default AWS managed key for ECR is used. | `string` | `null` | no |
+| <a name="input_streamlit_ecr_repo_lifecycle_policy"></a> [streamlit\_ecr\_repo\_lifecycle\_policy](#input\_streamlit\_ecr\_repo\_lifecycle\_policy) | A JSON string containing the ECR Lifecycle policy for the Streamlit ECR repo. | `string` | `null` | no |
+| <a name="input_streamlit_ecs_service_log_group_kms_key"></a> [streamlit\_ecs\_service\_log\_group\_kms\_key](#input\_streamlit\_ecs\_service\_log\_group\_kms\_key) | The KMS key ID used to encrypt the log group for the ECS service. | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to resources. | `map(any)` | <pre>{<br>  "IAC_PROVIDER": "Terraform"<br>}</pre> | no |
 | <a name="input_task_cpu"></a> [task\_cpu](#input\_task\_cpu) | The CPU resources (in CPU units) allocated to each task. Default is 256. | `number` | `256` | no |
 | <a name="input_task_memory"></a> [task\_memory](#input\_task\_memory) | The memory (in MiB) allocated to each task. Default is 512. | `number` | `512` | no |
diff --git a/VERSION b/VERSION
index 0ec25f7..795460f 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-v1.0.0
+v1.1.0
diff --git a/checkov.txt b/checkov.txt
deleted file mode 100644
index 5bfa933..0000000
--- a/checkov.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Running Checkov Analysis
-terraform scan results:
-
-Passed checks: 87, Failed checks: 0, Skipped checks: 0
-
-
-Success - Checkov found no issues!
diff --git a/main.tf b/main.tf
index 18422b1..6157477 100644
--- a/main.tf
+++ b/main.tf
@@ -360,12 +360,14 @@ resource "aws_lb" "streamlit_alb" {
   drop_invalid_header_fields = true
   subnets                    = var.existing_alb_subnets != null ? var.existing_alb_subnets : [aws_subnet.public_subnet1[0].id, aws_subnet.public_subnet2[0].id]
   security_groups            = var.existing_alb_security_groups != null ? var.existing_alb_security_groups : [aws_security_group.streamlit_alb_sg[0].id]
+  enable_deletion_protection = var.enable_alb_deletion_protection
 
   tags = {
     Name = "${var.app_name}-alb"
   }
 }
 
+
 # Configure target group for ALB
 resource "aws_lb_target_group" "streamlit_tg" {
   name        = "${var.app_name}-tg"
@@ -381,16 +383,36 @@ resource "aws_lb_target_group" "streamlit_tg" {
     unhealthy_threshold = 3
   }
 
-  tags = {
-    Name = "${var.app_name}-tg"
-  }
+  tags = merge(
+    var.tags,
+    {
+      Name = "${var.app_name}-tg"
+    }
+  )
 }
 
 # Create Listener for ALB
+# HTTP Listener
 resource "aws_lb_listener" "http" {
+  count             = var.enable_alb_http_listener ? 1 : 0
   load_balancer_arn = aws_lb.streamlit_alb[0].arn
   port              = 80
   protocol          = "HTTP"
+  # ssl_policy cannot be specified for HTTP listeners.
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.streamlit_tg.arn
+  }
+}
+# HTTPS Listener
+resource "aws_lb_listener" "https" {
+  count             = var.enable_alb_https_listener ? 1 : 0
+  load_balancer_arn = aws_lb.streamlit_alb[0].arn
+  port              = 443
+  protocol          = "HTTPS"
+  # Create load balancer policy that defaults to predefined AWS Policy 'ELBSecurityPolicy-TLS13-1-2-2021-06'. This policy includes TLS 1.3 and is backwards compatible with TLS 1.2.
+  ssl_policy = var.alb_listener_ssl_policy_https
 
   default_action {
     type             = "forward"
@@ -398,9 +420,16 @@ resource "aws_lb_listener" "http" {
   }
 }
 
+resource "aws_lb_listener_certificate" "https" {
+  count           = var.enable_alb_https_listener ? 1 : 0
+  listener_arn    = aws_lb_listener.https[0].arn
+  certificate_arn = var.existing_alb_https_listener_cert
+}
+
+
 # Create deny rule for ALB. This prevents users from accessing the ALB directly. Instead, they must go throught CloudFront.
 resource "aws_lb_listener_rule" "deny_rule" {
-  listener_arn = aws_lb_listener.http.arn
+  listener_arn = aws_lb_listener.http[0].arn
   priority     = 1
 
   action {
@@ -418,7 +447,7 @@ resource "aws_lb_listener_rule" "deny_rule" {
 
 # Create redirect rule for ALB where users must instead use CloudFront.
 resource "aws_lb_listener_rule" "redirect_rule" {
-  listener_arn = aws_lb_listener.http.arn
+  listener_arn = aws_lb_listener.http[0].arn
   priority     = 5
 
   action {
@@ -546,16 +575,19 @@ resource "aws_ecs_service" "streamlit_ecs_service" {
   network_configuration {
     subnets         = var.existing_ecs_subnets != null ? var.existing_ecs_subnets : [aws_subnet.private_subnet1[0].id, aws_subnet.private_subnet2[0].id]
     security_groups = var.existing_ecs_security_groups != null ? var.existing_ecs_security_groups : [aws_security_group.streamlit_ecs_sg[0].id]
-
-    assign_public_ip = true
-
   }
-
   load_balancer {
     target_group_arn = aws_lb_target_group.streamlit_tg.arn
     container_name   = "${var.app_name}-container"
     container_port   = var.container_port
   }
+
+  tags = merge(
+    var.tags,
+    {
+      Name = "${var.app_name}-ecs-service"
+    }
+  )
   # The Amazon ECS service requires an explicit dependency on the Application Load Balancer listener rule and the Application Load Balancer listener. This prevents the service from starting before the listener is ready.
   depends_on = [aws_lb_listener.http]
 }
@@ -564,6 +596,13 @@ resource "aws_ecs_service" "streamlit_ecs_service" {
 resource "aws_cloudwatch_log_group" "streamlit_ecs_service_log_group" {
   name              = "/ecs/${var.app_name}-ecs-log-group"
   retention_in_days = 365
+  kms_key_id        = var.streamlit_ecs_service_log_group_kms_key
+
+  tags = merge(var.tags,
+    {
+      Name = "/ecs/${var.app_name}-ecs-log-group"
+    }
+  )
 }
 
 # Create ECS Task
@@ -621,20 +660,29 @@ resource "aws_ecs_task_definition" "streamlit_ecs_task_definition" {
 ################################################################################
 # Create an ECR repository
 resource "aws_ecr_repository" "streamlit_ecr_repo" {
-  name = "${var.app_name}-repo"
-
+  name                 = "${var.app_name}-repo"
+  image_tag_mutability = var.streamlit_ecr_repo_image_tag_mutability
+  image_scanning_configuration {
+    scan_on_push = var.enable_streamlit_ecr_repo_scan_on_push
+  }
+  encryption_configuration {
+    encryption_type = var.streamlit_ecr_repo_encryption_type
+    kms_key         = var.streamlit_ecr_repo_kms_key
+  }
   # allow for reppo to be deleted even if it contains images
   force_delete = var.streamlit_ecr_repo_enable_force_delete
+  tags = {
+    Name = "${var.app_name}-repo"
+  }
 }
 
 # TODO - Consider adding support for ECR Lifecycle rules in future module verison
-# resource "aws_ecr_lifecycle_policy" "streamlit_ecr_repo" {
-#   count = var.create_streamlit_ecr_repo_lifecycle_rules ? 1: 0
-#   repository = aws_ecr_repository.streamlit_ecr_repo.name
-
-#   policy = jsonencode({ "rules" : var.streamlit_ecr_repo_lifecycle_rules })
+resource "aws_ecr_lifecycle_policy" "streamlit_ecr_repo" {
+  count      = var.create_streamlit_ecr_repo_lifecycle_policy ? 1 : 0
+  repository = aws_ecr_repository.streamlit_ecr_repo.name
+  policy     = var.streamlit_ecr_repo_lifecycle_policy
 
-# }
+}
 
 
 ################################################################################
diff --git a/variables.tf b/variables.tf
index 92a0572..d096fc3 100644
--- a/variables.tf
+++ b/variables.tf
@@ -66,6 +66,31 @@ variable "existing_ecs_subnets" {
   type        = list(string)
   default     = null
 }
+variable "enable_alb_deletion_protection" {
+  description = "Whether to enable deletion protection for the Streamlit App Application Load Balancer."
+  type        = bool
+  default     = false
+}
+variable "alb_listener_ssl_policy_https" {
+  description = "The SSL policy for the ALB HTTPS listener. The default uses the AWS security policy that enables TLS 1.3 with backwards compatibility with TLS 1.2."
+  type        = string
+  default     = "ELBSecurityPolicy-TLS13-1-2-2021-06"
+}
+variable "enable_alb_http_listener" {
+  description = "Whether to create the ALB HTTP listener."
+  type        = bool
+  default     = true
+}
+variable "enable_alb_https_listener" {
+  description = "Whether to create the ALB HTTPS listener."
+  type        = bool
+  default     = false
+}
+variable "existing_alb_https_listener_cert" {
+  description = "The ARN of an existing ACM certificate to use for the ALB HTTPS listener."
+  type        = string
+  default     = null
+}
 
 # - CloudFront -
 variable "custom_header_name" {
@@ -131,6 +156,38 @@ variable "streamlit_ecr_repo_enable_force_delete" {
   type        = bool
   default     = true
 }
+
+variable "streamlit_ecr_repo_image_tag_mutability" {
+  description = "Whether to enforce images tags to be immutable or not. Valid values are 'MUTABLE' or IMMUTABLE'."
+  type        = string
+  default     = "MUTABLE"
+}
+variable "enable_streamlit_ecr_repo_scan_on_push" {
+  description = "Whether to enable image scanning on push for ECR repo. This uses the Amazon Inspector service, which will incur additional cost."
+  type        = bool
+  default     = false
+}
+variable "streamlit_ecr_repo_encryption_type" {
+  description = "The type of encryption for the ECR repo. Valid values are 'AES256' or 'KMS'."
+  type        = string
+  default     = "AES256"
+}
+variable "streamlit_ecr_repo_kms_key" {
+  description = "The KMS key ID used to encrypt the ECR repo. This is required if encryption_type is 'KMS'. If not specified, the default AWS managed key for ECR is used."
+  type        = string
+  default     = null
+}
+
+variable "create_streamlit_ecr_repo_lifecycle_policy" {
+  description = "Conditional creation of ECR Lifecycle policy for the Streamlit ECR repo. Default is to not create any policy."
+  type        = bool
+  default     = false
+}
+variable "streamlit_ecr_repo_lifecycle_policy" {
+  description = "A JSON string containing the ECR Lifecycle policy for the Streamlit ECR repo."
+  type        = string
+  default     = null
+}
 # TODO - Consider adding support for ECR Lifecycle rules in future module verison
 
 # variable "create_streamlit_ecr_repo_lifecycle_rules" {
@@ -225,6 +282,13 @@ variable "existing_ecs_role" {
 }
 
 
+# - CloudWatch -
+variable "streamlit_ecs_service_log_group_kms_key" {
+  description = "The KMS key ID used to encrypt the log group for the ECS service."
+  type        = string
+  default     = null
+}
+
 # - Tags -
 variable "tags" {
   type        = map(any)