diff --git a/terraform/environments/bootstrap/delegate-access/policies.tf b/terraform/environments/bootstrap/delegate-access/policies.tf
index 9c2e8ff42..1203084fb 100644
--- a/terraform/environments/bootstrap/delegate-access/policies.tf
+++ b/terraform/environments/bootstrap/delegate-access/policies.tf
@@ -799,3 +799,46 @@ data "aws_iam_policy_document" "reporting-operations" {
     resources = ["*"] #tfsec:ignore:AWS099 tfsec:ignore:AWS097
   }
 }
+
+resource "aws_iam_policy" "directory-management-policy" {
+  provider = aws.workspace
+  name     = "directory_management_policy"
+  path     = "/"
+  policy   = data.aws_iam_policy_document.directory-management-document.json
+}
+
+#tfsec:ignore:aws-iam-no-policy-wildcards
+data "aws_iam_policy_document" "directory-management-document" {
+  #checkov:skip=CKV_AWS_107
+  #checkov:skip=CKV_AWS_108
+  #checkov:skip=CKV_AWS_109
+  #checkov:skip=CKV_AWS_110
+  #checkov:skip=CKV_AWS_111
+  #checkov:skip=CKV_AWS_356
+  statement {
+    sid    = "DirectoryManagementAllow"
+    effect = "Allow"
+    actions = [
+      "ds:*",
+      "ec2:DescribeSubnets",
+      "ec2:DescribeVpcs",
+      "ec2:CreateSecurityGroup",
+      "ec2:CreateNetworkInterface",
+      "ec2:DescribeNetworkInterfaces",
+      "ec2:AuthorizeSecurityGroupIngress",
+      "ec2:AuthorizeSecurityGroupEgress",
+      "ec2:CreateTags",
+    ]
+    resources = ["*"] #tfsec:ignore:AWS099 tfsec:ignore:AWS097
+  }
+  statement {
+    sid    = "DirectoryManagementDeny"
+    effect = "Deny"
+    actions = [
+      "ds:CreateDirectory",
+      "ds:CreateMicrosoftAD",
+      "ds:DeleteDirectory"
+    ]
+    resources = ["*"] #tfsec:ignore:AWS099 tfsec:ignore:AWS097
+  }
+}
\ No newline at end of file