diff --git a/aws_quickstart/datadog_agentless_delegate_role.yaml b/aws_quickstart/datadog_agentless_delegate_role.yaml
index bd7a7b74..0ac43831 100644
--- a/aws_quickstart/datadog_agentless_delegate_role.yaml
+++ b/aws_quickstart/datadog_agentless_delegate_role.yaml
@@ -220,10 +220,8 @@ Resources:
           - Sid: EC2AssumeRole
             Effect: Allow
             Principal:
-              AWS: '*'
+              AWS: !Ref 'ScannerInstanceRoleARN'
             Condition:
-              ArnLike:
-                'aws:PrincipalArn': !Ref 'ScannerInstanceRoleARN'
               StringEquals:
                 'aws:PrincipalTag/Datadog': 'true'
                 'aws:PrincipalTag/DatadogAgentlessScanner': 'true'
diff --git a/aws_quickstart/datadog_agentless_scanning.yaml b/aws_quickstart/datadog_agentless_scanning.yaml
index d948cde6..0a5f900f 100644
--- a/aws_quickstart/datadog_agentless_scanning.yaml
+++ b/aws_quickstart/datadog_agentless_scanning.yaml
@@ -744,10 +744,8 @@ Resources:
           - Sid: EC2AssumeRole
             Effect: Allow
             Principal:
-              AWS: '*'
+              AWS: !GetAtt 'ScannerInstanceRole.Arn'
             Condition:
-              ArnLike:
-                'aws:PrincipalArn': !GetAtt 'ScannerInstanceRole.Arn'
               StringEquals:
                 'aws:PrincipalTag/Datadog': 'true'
                 'aws:PrincipalTag/DatadogAgentlessScanner': 'true'