diff --git a/config.tf b/config.tf
index 815a2fb..deb7b6f 100644
--- a/config.tf
+++ b/config.tf
@@ -101,7 +101,7 @@ resource "aws_iam_role_policy_attachment" "config-publish-policy" {
 
 # AWS Config: configure an S3 bucket
 module "config-bucket" {
-  source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v6.0.4"
+  source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v6.0.5"
   providers = {
     aws.bucket-replication = aws.replication-region
   }
diff --git a/modules/vpc/main.tf b/modules/vpc/main.tf
index 4b06508..f7c27dc 100644
--- a/modules/vpc/main.tf
+++ b/modules/vpc/main.tf
@@ -13,7 +13,7 @@ resource "aws_default_route_table" "default" {
 ## Network ACL
 ## Terraform mentions you should ignore subnet_ids for aws_default_network_acl
 ## because subnets always need to be associated with something, and if they're
-## not explicity set, they will show up as a change
+## not explicitly set, they will show up as a change
 ## See: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_network_acl#managing-subnets-in-the-default-network-acl
 resource "aws_default_network_acl" "default" {
   default_network_acl_id = aws_default_vpc.default.default_network_acl_id
@@ -56,6 +56,7 @@ resource "aws_default_security_group" "default" {
 
 # VPC Flow Logs
 ## CloudWatch log group for VPC Flow Logs
+# tfsec:ignore:aws-cloudwatch-log-group-customer-key
 resource "aws_cloudwatch_log_group" "default-vpc-flow-logs" {
   name = "default-vpc-flow-logs"
   tags = var.tags