diff --git a/infra/modules/engineer-access/policies.tf b/infra/modules/engineer-access/policies.tf
index 6d734d877..80a836e6e 100644
--- a/infra/modules/engineer-access/policies.tf
+++ b/infra/modules/engineer-access/policies.tf
@@ -195,12 +195,12 @@ resource "aws_iam_policy" "manage_parameter_store" {
   })
 }
 
-resource "aws_iam_policy" "manage_dashboards" {
+resource "aws_iam_policy" "manage_dashboards_and_maintenance_page" {
   #checkov:skip=CKV_AWS_290: We're OK with unlimited access to CloudWatch dashboards
   #checkov:skip=CKV_AWS_355: We're OK with unlimited access to CloudWatch dashboards
-  name        = "manage-dashboards"
+  name        = "manage-dashboards-and-maintenance-page"
   path        = "/"
-  description = "Create, update and delete CloudWatch dashbaords"
+  description = "Manage CloudWatch dashboards and maintenance page"
 
   policy = jsonencode({
     Version = "2012-10-17"
@@ -214,16 +214,7 @@ resource "aws_iam_policy" "manage_dashboards" {
         Resource = ["*"]
       }
     ]
-  })
-}
-
-resource "aws_iam_policy" "manage_maintenance_page" {
-  name        = "manage-maintenance-page"
-  path        = "/"
-  description = "Permission to manage maintenance page"
 
-  policy = jsonencode({
-    Version = "2012-10-17"
     Statement = [
       {
         Action = [
@@ -330,3 +321,27 @@ resource "aws_iam_policy" "get_ux_customisation" {
     ]
   })
 }
+
+resource "aws_iam_policy" "get_sustainability_data" {
+  name = "allow-get-sustainability_data"
+  path = "/"
+
+  description = "Allow access to AWS Sustainability"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "sustainability:GetCarbonFootprintSummary",
+          "sustainability:GetEstimatedCarbonEmissions",
+          "sustainability:GetEstimatedCarbonEmissionsDimensionValues",
+        ]
+        Effect = "Allow"
+        Resource = [
+          "*"
+        ]
+      }
+    ]
+  })
+}
diff --git a/infra/modules/engineer-access/roles.tf b/infra/modules/engineer-access/roles.tf
index f245630f1..24ceb0e45 100644
--- a/infra/modules/engineer-access/roles.tf
+++ b/infra/modules/engineer-access/roles.tf
@@ -26,13 +26,13 @@ module "support_role" {
     "arn:aws:iam::aws:policy/ReadOnlyAccess",
     aws_iam_policy.access_aws_support_centre.arn,
     aws_iam_policy.manage_parameter_store.arn,
-    aws_iam_policy.manage_dashboards.arn,
+    aws_iam_policy.manage_dashboards_and_maintenance_page.arn,
     aws_iam_policy.manage_deployments.arn,
-    aws_iam_policy.manage_maintenance_page.arn,
     aws_iam_policy.lock_state_files.arn,
     var.allow_rds_data_api_access ? [aws_iam_policy.query_rds_with_data_api[0].arn] : [],
     var.allow_ecs_task_usage ? [aws_iam_policy.manage_ecs_task[0].arn] : [],
     aws_iam_policy.get_ux_customisation.arn,
+    aws_iam_policy.get_sustainability_data.arn,
   ])
   ip_restrictions = local.vpn_ip_restrictions
 }
@@ -47,6 +47,7 @@ module "readonly_role" {
     "arn:aws:iam::aws:policy/ReadOnlyAccess",
     aws_iam_policy.lock_state_files.arn,
     aws_iam_policy.get_ux_customisation.arn,
+    aws_iam_policy.get_sustainability_data.arn,
   ]
   ip_restrictions = local.vpn_ip_restrictions
 }