diff --git a/modules/jenkins/iam.tf b/modules/jenkins/iam.tf
index 9c5f509..3e6b729 100644
--- a/modules/jenkins/iam.tf
+++ b/modules/jenkins/iam.tf
@@ -200,8 +200,6 @@ data "aws_iam_policy_document" "build_farm_fsxz_policy" {
     actions = [
       "fsx:DeleteSnapshot",
       "fsx:CreateSnapshot",
-      "fsx:DescribeSnapshots",
-      "fsx:DescribeVolumes",
       "fsx:ListTagsForResource"
     ]
     resources = concat(
@@ -209,6 +207,20 @@ data "aws_iam_policy_document" "build_farm_fsxz_policy" {
       [for fs in values(aws_fsx_openzfs_file_system.jenkins_build_farm_fsxz_file_system) : "arn:aws:fsx:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:volume/${fs.id}/*"]
     )
   }
+  statement {
+    effect = "Allow"
+    actions = [
+      "fsx:DescribeSnapshots"
+    ]
+    resources = ["arn:aws:fsx:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:snapshot/*/*"]
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "fsx:DescribeVolumes"
+    ]
+    resources = ["arn:aws:fsx:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:volume/*/*"]
+  }
 }
 resource "aws_iam_policy" "build_farm_fsxz_policy" {
   name        = "${var.project_prefix}-build-farm-fsxz-policy"
diff --git a/modules/jenkins/sg.tf b/modules/jenkins/sg.tf
index a169f07..692874e 100644
--- a/modules/jenkins/sg.tf
+++ b/modules/jenkins/sg.tf
@@ -106,6 +106,22 @@ resource "aws_vpc_security_group_ingress_rule" "jenkins_build_farm_inbound_ssh_s
   ip_protocol                  = "tcp"
 }
 
+# Outbound access from Build Farm to Internet (IPV4)
+resource "aws_vpc_security_group_egress_rule" "jenkins_build_farm_outbound_ipv4" {
+  security_group_id = aws_security_group.jenkins_build_farm_sg.id
+  description       = "Allow outbound traffic from Jenkins build farm to internet (ipv4)"
+  cidr_ipv4         = "0.0.0.0/0"
+  ip_protocol       = "-1" # semantically equivalent to all ports
+}
+
+# Outbound access from Build Farm to Internet (IPV6)
+resource "aws_vpc_security_group_egress_rule" "jenkins_build_farm_outbound_ipv6" {
+  security_group_id = aws_security_group.jenkins_build_farm_sg.id
+  description       = "Allow outbound traffic from Jenkins build farm to internet (ipv6)"
+  cidr_ipv6         = "::/0"
+  ip_protocol       = "-1" # semantically equivalent to all ports
+}
+
 ########################################
 # JENKINS BUILD FARM FSX SECURITY GROUP
 ########################################