diff --git a/modules/services/workload-scanning/README.md b/modules/services/workload-scanning/README.md
new file mode 100644
index 0000000..e7e8807
--- /dev/null
+++ b/modules/services/workload-scanning/README.md
@@ -0,0 +1,66 @@
+# AWS Agentless Scanning Module
+
+This Module creates the resources required to perform agentless workload (ECR) scanning.
+
+The following resources will be created in each instrumented account:
+- An IAM Role and associated policies that allows Sysdig to perform tasks necessary for agentless workload scanning, i.e.
+pull images from ECR.
+
+
+## Requirements
+
+| Name | Version |
+|------|-----------|
+| [terraform](#requirement\_terraform) | >= 1.2.0 |
+| [aws](#requirement\_aws) | >= 4.39.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 4.39.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|
+| [aws_cloudformation_stack_set.scanning_role_stackset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource |
+| [aws_cloudformation_stack_set_registry.scanning_role_stackset_registry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource |
+| [aws_iam_policy.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy_attachment.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
+| [aws_iam_role.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_policy_document.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.scanning_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|-------------------------------------------------------------|:--------:|
+| [deploy\_global\_resources](#input\_deploy\_global\_resources) | (Optional) Set this field to 'true' to deploy Agentless Scanning when deploying to the main region (Non Organization Setup) | `bool` | `false` | no |
+| [external\_id](#input\_external\_id) | Random string generated unique to a customer | `string` | n/a | yes |
+| [role\_arn](#input\_role\_arn) | (Optional) The ARN of the role to be associated with the with regional resources. Must be set if deploy_global_resources is false | `string` | `""` | no |
+| [is\_organizational](#input\_is\_organizational) | (Optional) Set this field to 'true' to deploy Agentless Workload Scanning to an AWS Organization (Or specific OUs) | `bool` | `false` | no |
+| [name](#input\_name) | The name of the installation. Assigned to most child resource(s) | `string` | `"sysdig-workload-scanning"` | no |
+| [org\_units](#input\_org\_units) | (Optional) List of Organization Unit IDs in which to setup Agentless Workload Scanning. By default, Agentless Workload Scanning will be setup in all accounts within the Organization. This field is ignored if `is_organizational = false` | `set(string)` | `[]` | no |
+| [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | {
"product": "sysdig-secure-for-cloud"
} | no |
+| [trusted\_identity](#input\_trusted\_identity) | The name of sysdig trusted identity | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|---------------------------------------------------------------------|
+| [role\_arn](#output\_role\_arn) | Role used by Sysdig Platform for Secure Agentless Workload Scanning |
+
+
+## Authors
+
+Module is maintained by [Sysdig](https://sysdig.com).
+
+## License
+
+Apache 2 Licensed. See LICENSE for full details.
diff --git a/modules/services/workload-scanning/main.tf b/modules/services/workload-scanning/main.tf
new file mode 100644
index 0000000..06f9678
--- /dev/null
+++ b/modules/services/workload-scanning/main.tf
@@ -0,0 +1,96 @@
+###########################################
+# Workload Controller IAM roles and stuff #
+###########################################
+
+#-----------------------------------------------------------------------------------------------------------------------
+# Determine if this is an Organizational install, or a single account install. For Single Account installs, resources
+# are created directly using the AWS Terraform Provider (This is the default behaviour). For Organizational installs,
+# see organizational.tf, and the resources in this file are used to instrument the management account (StackSets do not
+# include the management account they are created in, even if this account is within the target Organization).
+#-----------------------------------------------------------------------------------------------------------------------
+
+#-----------------------------------------------------------------------------------------------------------------------
+# We have two types of resources. global and regional. Global resources are deployed only once (mostly in the primary
+# region). We use deploy_global_resources boolean to determine that.
+#-----------------------------------------------------------------------------------------------------------------------
+
+#-----------------------------------------------------------------------------------------------------------------------
+# These resources create an Agentless Workload Scanning IAM Role and IAM Policy in the account.
+#-----------------------------------------------------------------------------------------------------------------------
+
+data "aws_iam_policy_document" "scanning" {
+ count = (var.deploy_global_resources || var.is_organizational) ? 1 : 0
+
+ # General ECR read permission, necessary for the fetching artifacts.
+ statement {
+ sid = "EcrReadPermissions"
+
+ effect = "Allow"
+
+ actions = [
+ "ecr:GetDownloadUrlForLayer",
+ "ecr:BatchGetImage",
+ "ecr:BatchCheckLayerAvailability",
+ "ecr:GetRepositoryPolicy",
+ "ecr:DescribeRepositories",
+ "ecr:ListImages",
+ "ecr:DescribeImages",
+ "ecr:ListTagsForResource",
+ "ecr:GetAuthorizationToken",
+ ]
+
+ resources = [
+ "*",
+ ]
+ }
+}
+
+resource "aws_iam_policy" "scanning" {
+ count = (var.deploy_global_resources || var.is_organizational) ? 1 : 0
+
+ name = var.name
+ description = "Grants Sysdig Secure access to volumes and snapshots"
+ policy = data.aws_iam_policy_document.scanning[0].json
+ tags = var.tags
+}
+
+data "aws_iam_policy_document" "scanning_assume_role_policy" {
+ count = (var.deploy_global_resources || var.is_organizational) ? 1 : 0
+
+ statement {
+ sid = "SysdigWorkloadScanning"
+
+ actions = [
+ "sts:AssumeRole"
+ ]
+
+ principals {
+ type = "AWS"
+ identifiers = [
+ var.trusted_identity,
+ ]
+ }
+
+ condition {
+ test = "StringEquals"
+ variable = "sts:ExternalId"
+ values = [var.external_id]
+ }
+ }
+}
+
+resource "aws_iam_role" "scanning" {
+ count = (var.deploy_global_resources || var.is_organizational) ? 1 : 0
+
+ name = var.name
+ tags = var.tags
+ assume_role_policy = data.aws_iam_policy_document.scanning_assume_role_policy[0].json
+}
+
+resource "aws_iam_policy_attachment" "scanning" {
+ count = (var.deploy_global_resources || var.is_organizational) ? 1 : 0
+
+ name = var.name
+ roles = [aws_iam_role.scanning[0].name]
+ policy_arn = aws_iam_policy.scanning[0].arn
+}
diff --git a/modules/services/workload-scanning/organizational.tf b/modules/services/workload-scanning/organizational.tf
new file mode 100644
index 0000000..1f9a4bf
--- /dev/null
+++ b/modules/services/workload-scanning/organizational.tf
@@ -0,0 +1,93 @@
+#-----------------------------------------------------------------------------------------------------------------------
+# Determine if this is an Organizational install, or a single account install. For Organizational installs, resources
+# are created using CloudFormation StackSet. For Single Account installs see main.tf.
+#-----------------------------------------------------------------------------------------------------------------------
+
+data "aws_organizations_organization" "org" {
+ count = var.is_organizational ? 1 : 0
+}
+
+locals {
+ organizational_unit_ids = var.is_organizational && length(var.org_units) == 0 ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : toset(var.org_units)
+}
+
+#-----------------------------------------------------------------------------------------------------------------------
+# The resources in this file set up an Agentless Workload Scanning IAM Role and Policies in all accounts
+# in an AWS Organization via a CloudFormation StackSet.
+# Global resources: IAM Role and Policy
+#-----------------------------------------------------------------------------------------------------------------------
+
+#-----------------------------------------------------------------------------------------------------------------------
+# stackset and stackset instance deployed in organization units for Agentless Scanning IAM Role, Policies
+#-----------------------------------------------------------------------------------------------------------------------
+
+# stackset to deploy agentless workload scanning role in organization unit
+resource "aws_cloudformation_stack_set" "scanning_role_stackset" {
+ count = var.is_organizational ? 1 : 0
+
+ name = join("-", [var.name, "ScanningRoleOrg"])
+ tags = var.tags
+ permission_model = "SERVICE_MANAGED"
+ capabilities = ["CAPABILITY_NAMED_IAM"]
+
+ auto_deployment {
+ enabled = true
+ retain_stacks_on_account_removal = false
+ }
+
+ lifecycle {
+ ignore_changes = [administration_role_arn]
+ }
+
+ template_body = <