diff --git a/data.tf b/data.tf
index d23b3e3..b451124 100644
--- a/data.tf
+++ b/data.tf
@@ -74,7 +74,13 @@ data "aws_iam_policy_document" "task_execution_role_policy" {
   statement {
     effect    = "Allow"
     actions   = ["secretsmanager:GetSecretValue"]
-    resources = ["${var.docker_secret}"]
+    resources = concat([var.docker_secret], var.secret_arns)
+  }
+
+  statement {
+    effect    = "Allow"
+    actions   = ["kms:Decrypt"]
+    resources = [var.encryption_key]
   }
 
   statement {
@@ -83,6 +89,6 @@ data "aws_iam_policy_document" "task_execution_role_policy" {
       "ecs:ExecuteCommand",
       "ecs:DescribeTasks"
     ]
-    resources = [aws_ecs_task_definition.task.arn]
+    resources = ["${aws_ecs_task_definition.task.arn}:*"]
   }
 }
diff --git a/files/container_definition.json b/files/container_definition.json
index d0ecd75..8ead85c 100644
--- a/files/container_definition.json
+++ b/files/container_definition.json
@@ -27,6 +27,7 @@
     "volumesFrom": [],
     "logConfiguration": {
         "logDriver": "awslogs",
+        ${secretsoptions}
         "options": {
            "awslogs-group": "${awslogs_group}",
            "awslogs-region": "${awslogs_region}",
diff --git a/locals.tf b/locals.tf
index 95e99aa..9c7dec0 100644
--- a/locals.tf
+++ b/locals.tf
@@ -18,6 +18,8 @@ locals {
     }
   }
 
+  secrets = length(var.secrets) > 0 ? "\"secretOptions\": ${jsonencode(var.secrets)}," : ""
+
   container_def = templatefile("${path.module}/files/container_definition.json",
     {
       service_identifier    = var.service_identifier
@@ -38,6 +40,7 @@ locals {
       awslogs_region        = data.aws_region.region.name
       awslogs_group         = aws_cloudwatch_log_group.task.name
       awslogs_stream_prefix = var.service_identifier
+      secretsoptions        = local.secrets
     }
   )
 }
diff --git a/variables.tf b/variables.tf
index e7dd342..e1e65bb 100644
--- a/variables.tf
+++ b/variables.tf
@@ -314,3 +314,18 @@ variable "entrypoint" {
   description = "The entry point that's passed to the container. Use [ \"sleep\", \"60\" ], when enabling exec command"
   default     = ""
 }
+
+variable "secrets" {
+  description = "Secrets to be passed to the container environment"
+  default     = ""
+}
+
+variable "secret_arns" {
+  description = "Arn of the secrets that are passed to the container environment"
+  default     = null
+}
+
+variable "encryption_key" {
+  description = "Kms key to decrypt secrets"
+  default     = null
+}