diff --git a/_example/vpc-flow-logs-cloudwatch/example.tf b/_example/vpc-flow-logs-cloudwatch/example.tf
index 0431a90..a679328 100644
--- a/_example/vpc-flow-logs-cloudwatch/example.tf
+++ b/_example/vpc-flow-logs-cloudwatch/example.tf
@@ -14,7 +14,7 @@ module "vpc" {
   label_order                         = ["name", "environment"]
   cidr_block                          = "10.0.0.0/16"
   enable_flow_log                     = true # Flow logs will be stored in cloudwatch log group. Variables passed in default.
-  create_flow_log_cloudwatch_iam_role = false
+  create_flow_log_cloudwatch_iam_role = true
   additional_cidr_block               = ["172.3.0.0/16", "172.2.0.0/16"]
   dhcp_options_domain_name            = "service.consul"
   dhcp_options_domain_name_servers    = ["127.0.0.1", "10.10.0.2"]
diff --git a/main.tf b/main.tf
index 76a622a..880b537 100644
--- a/main.tf
+++ b/main.tf
@@ -192,6 +192,7 @@ data "aws_region" "current" {}
 resource "aws_kms_key" "kms" {
   count                   = var.enable && var.enable_flow_log && var.flow_log_destination_arn == null ? 1 : 0
   deletion_window_in_days = var.kms_key_deletion_window
+  enable_key_rotation     = var.enable_key_rotation
 }
 
 resource "aws_kms_alias" "kms-alias" {
diff --git a/variables.tf b/variables.tf
index 031ac2f..a75be4e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -88,12 +88,6 @@ variable "enable_flow_log" {
   description = "Enable vpc_flow_log logs."
 }
 
-variable "traffic_type" {
-  type        = string
-  default     = "ALL"
-  description = "Type of traffic to capture. Valid values: ACCEPT,REJECT, ALL."
-}
-
 variable "ipv4_ipam_pool_id" {
   type        = string
   default     = ""
@@ -193,7 +187,7 @@ variable "enable_network_address_usage_metrics" {
 variable "assign_generated_ipv6_cidr_block" {
   type        = bool
   default     = true
-  description = "Determines whether IPAM pool is used for CIDR allocation"
+  description = "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block. Conflicts with ipv6_ipam_pool_id"
 }
 
 variable "aws_default_network_acl" {
@@ -349,3 +343,9 @@ variable "s3_sse_algorithm" {
   default     = "aws:kms"
   description = "Server-side encryption algorithm to use. Valid values are AES256 and aws:kms"
 }
+
+variable "enable_key_rotation" {
+  type        = bool
+  default     = true
+  description = "Specifies whether key rotation is enabled. Defaults to true(security best practice)"
+}
\ No newline at end of file