diff --git a/modules/stack/security.tf b/modules/stack/security.tf
index 2d38986..1261913 100644
--- a/modules/stack/security.tf
+++ b/modules/stack/security.tf
@@ -22,6 +22,15 @@ data "aws_iam_policy_document" "deployer-assume-role-policy" {
   }
 }
 
+data "aws_iam_policy_document" "config-policy" {
+  statement {
+    effect  = "Allow"
+    actions = ["ec2:DescribeTags"]
+
+    resources = ["*"]
+  }
+}
+
 data "aws_iam_policy_document" "codedeploy-policy" {
   statement {
     effect = "Allow"
@@ -86,6 +95,12 @@ resource "aws_iam_instance_profile" "explorer" {
   path = "/${var.prefix}/"
 }
 
+resource "aws_iam_role_policy" "config" {
+  name   = "${var.prefix}-config-policy"
+  role   = "${aws_iam_role.role.id}"
+  policy = "${data.aws_iam_policy_document.config-policy.json}"
+}
+
 resource "aws_iam_role" "role" {
   name               = "${var.prefix}-explorer-role"
   description        = "The IAM role given to each Explorer instance"