diff --git a/infrastructure/cloudtrail.tf b/infrastructure/cloudtrail.tf
index c3bb7183..d8e5b73c 100644
--- a/infrastructure/cloudtrail.tf
+++ b/infrastructure/cloudtrail.tf
@@ -4,7 +4,7 @@ resource "aws_cloudtrail" "all-events" {
   s3_bucket_name             = var.cloudtrail_bucket_name
   kms_key_id                 = aws_kms_key.key.arn
   cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail.arn}:*"
-  cloud_watch_logs_role_arn  = "arn:aws-us-gov:iam::${data.aws_caller_identity.current.account_id}:role/${var.cloudtrail_role_name}"
+  cloud_watch_logs_role_arn  = "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:role/${var.cloudtrail_role_name}"
   tags = {
     Project = var.project
     Stage   = var.stage
@@ -14,11 +14,11 @@ resource "aws_cloudtrail" "all-events" {
     include_management_events = true
     data_resource {
       type   = "AWS::S3::Object"
-      values = ["arn:aws-us-gov:s3"]
+      values = ["arn:${var.aws_partition}:s3"]
     }
     data_resource {
       type   = "AWS::Lambda::Function"
-      values = ["arn:aws-us-gov:lambda"]
+      values = ["arn:${var.aws_partition}:lambda"]
     }
   }
   enable_log_file_validation = true
@@ -100,8 +100,9 @@ resource "aws_iam_role" "cloudtrail_role" {
 data "template_file" "cloudtrail_bucket_policy" {
   template = file("cloudtrail_bucket_policy.tpl")
   vars = {
-    bucketName = var.cloudtrail_bucket_name
-    accountId  = data.aws_caller_identity.current.account_id
+    bucketName   = var.cloudtrail_bucket_name
+    accountId    = data.aws_caller_identity.current.account_id
+    awsPartition = var.aws_partition
   }
 }
 
@@ -138,7 +139,7 @@ resource "aws_iam_role_policy" "cloudtrail_cloudwatch_policy" {
         "logs:PutLogEvents"
       ],
       Effect   = "Allow",
-      Resource = "arn:aws-us-gov:logs:*"
+      Resource = "arn:${var.aws_partition}:logs:*"
     }]
   })
 }
diff --git a/infrastructure/cloudtrail_bucket_policy.tpl b/infrastructure/cloudtrail_bucket_policy.tpl
index 0ba644de..955a71fd 100644
--- a/infrastructure/cloudtrail_bucket_policy.tpl
+++ b/infrastructure/cloudtrail_bucket_policy.tpl
@@ -8,7 +8,7 @@
         "Service": "cloudtrail.amazonaws.com"
       },
       "Action": ["s3:GetBucketAcl"],
-      "Resource": ["arn:aws-us-gov:s3:::${bucketName}"]
+      "Resource": ["arn:${awsPartition}:s3:::${bucketName}"]
     },
     {
       "Sid": "AWSCloudTrailWrite20121017",
@@ -18,8 +18,8 @@
       },
       "Action": ["s3:PutObject"],
       "Resource": [
-        "arn:aws-us-gov:s3:::${bucketName}/AWSLogs/${accountId}",
-        "arn:aws-us-gov:s3:::${bucketName}/AWSLogs/${accountId}/*"
+        "arn:${awsPartition}:s3:::${bucketName}/AWSLogs/${accountId}",
+        "arn:${awsPartition}:s3:::${bucketName}/AWSLogs/${accountId}/*"
       ],
       "Condition": {
         "StringEquals": {
@@ -33,8 +33,8 @@
       "Effect": "Deny",
       "Principal": "*",
       "Resource": [
-        "arn:aws-us-gov:s3:::${bucketName}",
-        "arn:aws-us-gov:s3:::${bucketName}/*"
+        "arn:${awsPartition}:s3:::${bucketName}",
+        "arn:${awsPartition}:s3:::${bucketName}/*"
       ],
       "Condition": {
         "Bool": {
@@ -43,4 +43,4 @@
       }
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/infrastructure/database.tf b/infrastructure/database.tf
index a76dddf1..5bca2b85 100644
--- a/infrastructure/database.tf
+++ b/infrastructure/database.tf
@@ -3,7 +3,7 @@ data "aws_ssm_parameter" "db_username" { name = var.ssm_db_username }
 
 resource "aws_db_subnet_group" "default" {
   name       = var.db_group_name
-  subnet_ids = [data.aws_ssm_parameter.subnet_db_1_id.value, data.aws_ssm_parameter.subnet_db_2_id.value]
+  subnet_ids = var.is_dmz ? [aws_subnet.db_1[0].id, aws_subnet.db_2[0].id] : [data.aws_ssm_parameter.subnet_db_1_id[0].value, data.aws_ssm_parameter.subnet_db_2_id[0].value]
 
   tags = {
     Project = var.project
@@ -52,7 +52,7 @@ resource "aws_db_instance" "db" {
   db_subnet_group_name = aws_db_subnet_group.default.name
   parameter_group_name = aws_db_parameter_group.default.name
 
-  vpc_security_group_ids = [aws_security_group.allow_internal.id]
+  vpc_security_group_ids = [var.is_dmz ? aws_security_group.allow_internal[0].id : aws_security_group.allow_internal_lz[0].id]
 
   tags = {
     Project = "Crossfeed"
@@ -60,7 +60,26 @@ resource "aws_db_instance" "db" {
   }
 }
 
+data "aws_ami" "ubuntu" {
+  count                       = var.is_dmz ? 1 : 0
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  # Canonical
+  owners = ["099720109477"]
+}
+
 resource "aws_iam_role" "db_accessor" {
+  count              = var.create_db_accessor_instance ? 1 : 0
   name               = "crossfeed-db-accessor-${var.stage}"
   assume_role_policy = <<EOF
 {
@@ -87,8 +106,9 @@ EOF
 
 #Instance Profile
 resource "aws_iam_instance_profile" "db_accessor" {
-  name = "crossfeed-db-accessor-${var.stage}"
-  role = aws_iam_role.db_accessor.id
+  count = var.create_db_accessor_instance ? 1 : 0
+  name  = "crossfeed-db-accessor-${var.stage}"
+  role  = aws_iam_role.db_accessor[0].id
   tags = {
     Project = var.project
     Stage   = var.stage
@@ -98,20 +118,23 @@ resource "aws_iam_instance_profile" "db_accessor" {
 
 #Attach Policies to Instance Role
 resource "aws_iam_policy_attachment" "db_accessor_1" {
+  count      = var.create_db_accessor_instance ? 1 : 0
   name       = "crossfeed-db-accessor-${var.stage}"
-  roles      = [aws_iam_role.db_accessor.id, "AmazonSSMRoleForInstancesQuickSetup"]
-  policy_arn = "arn:aws-us-gov:iam::aws:policy/AmazonSSMManagedInstanceCore"
+  roles      = [aws_iam_role.db_accessor[0].id, "AmazonSSMRoleForInstancesQuickSetup"]
+  policy_arn = "arn:${var.aws_partition}:iam::aws:policy/AmazonSSMManagedInstanceCore"
 }
 
 resource "aws_iam_policy_attachment" "db_accessor_2" {
+  count      = var.create_db_accessor_instance ? 1 : 0
   name       = "crossfeed-db-accessor-${var.stage}"
-  roles      = [aws_iam_role.db_accessor.id]
-  policy_arn = "arn:aws-us-gov:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
+  roles      = [aws_iam_role.db_accessor[0].id]
+  policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
 }
 
 resource "aws_iam_role_policy" "db_accessor_s3_policy" {
+  count       = var.create_db_accessor_instance ? 1 : 0
   name_prefix = "crossfeed-db-accessor-s3-${var.stage}"
-  role        = aws_iam_role.db_accessor.id
+  role        = aws_iam_role.db_accessor[0].id
   policy      = <<EOF
 {
   "Version": "2012-10-17",
@@ -135,6 +158,29 @@ resource "aws_iam_role_policy" "db_accessor_s3_policy" {
 EOF
 }
 
+resource "aws_iam_role_policy" "sqs_send_message_policy" {
+  count       = var.create_db_accessor_instance ? 1 : 0
+  name_prefix = "ec2-send-sqs-message-${var.stage}"
+  role        = aws_iam_role.db_accessor[0].id
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Action = [
+          "sqs:SendMessage",
+          "sqs:ReceiveMessage",
+          "sqs:DeleteMessage",
+          "sqs:GetQueueAttributes",
+          "sqs:ListQueues",
+          "sqs:GetQueueUrl"
+        ],
+        Effect   = "Allow",
+        Resource = "*"
+      }
+    ]
+  })
+}
+
 resource "aws_instance" "db_accessor" {
   count                       = var.create_db_accessor_instance ? 1 : 0
   ami                         = var.ami_id
@@ -163,10 +209,10 @@ resource "aws_instance" "db_accessor" {
     volume_size = 1000
   }
 
-  vpc_security_group_ids = [aws_security_group.allow_internal.id]
-  subnet_id              = data.aws_ssm_parameter.subnet_db_1_id.value
+  vpc_security_group_ids = [var.is_dmz ? aws_security_group.allow_internal[0].id : aws_security_group.allow_internal_lz[0].id]
+  subnet_id              = var.is_dmz ? aws_subnet.backend[0].id : data.aws_ssm_parameter.subnet_db_1_id[0].value
 
-  iam_instance_profile = aws_iam_instance_profile.db_accessor.id
+  iam_instance_profile = aws_iam_instance_profile.db_accessor[0].id
   user_data            = file("./ssm-agent-install.sh")
   lifecycle {
     # prevent_destroy = true
@@ -177,7 +223,7 @@ resource "aws_instance" "db_accessor" {
 resource "aws_ssm_parameter" "lambda_sg_id" {
   name      = var.ssm_lambda_sg
   type      = "String"
-  value     = aws_security_group.allow_internal.id
+  value     = var.is_dmz ? aws_security_group.allow_internal[0].id : aws_security_group.allow_internal_lz[0].id
   overwrite = true
 
   tags = {
@@ -189,7 +235,7 @@ resource "aws_ssm_parameter" "lambda_sg_id" {
 resource "aws_ssm_parameter" "lambda_subnet_id" {
   name      = var.ssm_lambda_subnet
   type      = "String"
-  value     = data.aws_ssm_parameter.subnet_db_2_id.value
+  value     = var.is_dmz ? aws_subnet.backend[0].id : data.aws_ssm_parameter.subnet_db_2_id[0].value
   overwrite = true
 
   tags = {
@@ -201,7 +247,7 @@ resource "aws_ssm_parameter" "lambda_subnet_id" {
 resource "aws_ssm_parameter" "worker_sg_id" {
   name      = var.ssm_worker_sg
   type      = "String"
-  value     = aws_security_group.worker.id
+  value     = var.is_dmz ? aws_security_group.worker[0].id : aws_security_group.worker_lz[0].id 
   overwrite = true
 
   tags = {
@@ -213,7 +259,7 @@ resource "aws_ssm_parameter" "worker_sg_id" {
 resource "aws_ssm_parameter" "worker_subnet_id" {
   name      = var.ssm_worker_subnet
   type      = "String"
-  value     = data.aws_ssm_parameter.subnet_db_2_id.value
+  value     = var.is_dmz ? aws_subnet.worker[0].id : data.aws_ssm_parameter.subnet_db_2_id[0].value
   overwrite = true
 
   tags = {
@@ -279,6 +325,12 @@ resource "aws_s3_bucket_policy" "reports_bucket" {
   })
 }
 
+resource "aws_s3_bucket_acl" "reports_bucket" {
+  count  = var.is_dmz ? 1 : 0
+  bucket = aws_s3_bucket.reports_bucket.id
+  acl    = "private"
+}
+
 resource "aws_s3_bucket_server_side_encryption_configuration" "reports_bucket" {
   bucket = aws_s3_bucket.reports_bucket.id
   rule {
@@ -334,6 +386,12 @@ resource "aws_s3_bucket_policy" "pe_db_backups_bucket" {
   })
 }
 
+resource "aws_s3_bucket_acl" "pe_db_backups_bucket" {
+  count  = var.is_dmz ? 1 : 0
+  bucket = aws_s3_bucket.pe_db_backups_bucket.id
+  acl    = "private"
+}
+
 resource "aws_s3_bucket_server_side_encryption_configuration" "pe_db_backups_bucket" {
   bucket = aws_s3_bucket.pe_db_backups_bucket.id
   rule {
diff --git a/infrastructure/elastic.tf b/infrastructure/elastic.tf
index e8115995..6526d9c6 100644
--- a/infrastructure/elastic.tf
+++ b/infrastructure/elastic.tf
@@ -2,7 +2,7 @@
 
 resource "aws_instance" "elk_stack" {
   count                       = var.create_elk_instance ? 1 : 0
-  ami                         = var.ami_id
+  ami                         = var.is_dmz ? data.aws_ami.ubuntu[0].id : var.ami_id
   instance_type               = var.elk_instance_class
   associate_public_ip_address = false
 
@@ -29,10 +29,10 @@ resource "aws_instance" "elk_stack" {
     volume_size = 15
   }
 
-  vpc_security_group_ids = [aws_security_group.allow_internal.id]
-  subnet_id              = data.aws_ssm_parameter.subnet_db_1_id.value
+  vpc_security_group_ids = [aws_security_group.allow_internal[0].id]
+  subnet_id              = var.is_dmz ? aws_subnet.backend[0].id : data.aws_ssm_parameter.subnet_db_1_id[0].value
 
-  iam_instance_profile = aws_iam_instance_profile.db_accessor.id
+  iam_instance_profile = aws_iam_instance_profile.db_accessor[0].id
   user_data            = file("./ssm-agent-install.sh")
 
 
diff --git a/infrastructure/es.tf b/infrastructure/es.tf
index 01a194fe..ed141f63 100644
--- a/infrastructure/es.tf
+++ b/infrastructure/es.tf
@@ -31,15 +31,15 @@ resource "aws_elasticsearch_domain" "es" {
       "Action": "es:ESHttp*",
       "Principal": "*",
       "Effect": "Allow",
-      "Resource": "arn:aws-us-gov:es:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:domain/crossfeed-${var.stage}/*"
+      "Resource": "arn:${var.aws_partition}:es:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:domain/crossfeed-${var.stage}/*"
     }
   ]
 }
 POLICY
 
   vpc_options {
-    subnet_ids         = [data.aws_ssm_parameter.subnet_es_id.value]
-    security_group_ids = [aws_security_group.allow_internal.id]
+    subnet_ids         = [var.is_dmz ? aws_subnet.es_1[0].id : data.aws_ssm_parameter.subnet_es_id[0].value]
+    security_group_ids = [var.is_dmz ? aws_security_group.allow_internal[0].id : aws_security_group.allow_internal_lz[0].id]
   }
 
   #   Only supported on certain instance types, so let's only enable this on prod: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/aes-supported-instance-types.html
@@ -104,7 +104,7 @@ resource "aws_cloudwatch_log_resource_policy" "es" {
         "logs:PutLogEventsBatch",
         "logs:CreateLogStream"
       ],
-      "Resource": "arn:aws-us-gov:logs:*"
+      "Resource": "arn:${var.aws_partition}:logs:*"
     }
   ]
 }
diff --git a/infrastructure/kms.tf b/infrastructure/kms.tf
index c84bb712..8415cb24 100644
--- a/infrastructure/kms.tf
+++ b/infrastructure/kms.tf
@@ -14,7 +14,7 @@ resource "aws_kms_key" "key" {
         Effect : "Allow",
 
         Principal : {
-          AWS : "arn:aws-us-gov:iam::${data.aws_caller_identity.current.account_id}:root"
+          AWS : "arn:${var.aws_partition}:iam::${data.aws_caller_identity.current.account_id}:root"
         },
 
         Action : [
@@ -127,7 +127,7 @@ resource "aws_kms_key" "key" {
 
         Condition : {
           ArnLike : {
-            "kms:EncryptionContext:aws:logs:arn" : "arn:aws-us-gov:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*"
+            "kms:EncryptionContext:aws:logs:arn" : "arn:${var.aws_partition}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*"
           }
         }
       },
@@ -141,10 +141,10 @@ resource "aws_kms_key" "key" {
         Resource : "*",
         Condition : {
           StringEquals : {
-            "aws:SourceArn" : "arn:aws-us-gov:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/${var.cloudtrail_name}"
+            "aws:SourceArn" : "arn:${var.aws_partition}:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/${var.cloudtrail_name}"
           },
           StringLike : {
-            "kms:EncryptionContext:aws:cloudtrail:arn" : "arn:aws-us-gov:cloudtrail:*:${data.aws_caller_identity.current.account_id}:trail/*"
+            "kms:EncryptionContext:aws:cloudtrail:arn" : "arn:${var.aws_partition}:cloudtrail:*:${data.aws_caller_identity.current.account_id}:trail/*"
           }
         }
       },
@@ -164,10 +164,10 @@ resource "aws_kms_key" "key" {
           Service : "cloudtrail.amazonaws.com"
         },
         Action : "kms:DescribeKey",
-        Resource : "arn:aws-us-gov:kms:region:${data.aws_caller_identity.current.account_id}:key/*}",
+        Resource : "arn:${var.aws_partition}:kms:region:${data.aws_caller_identity.current.account_id}:key/*}",
         Condition : {
           StringEquals : {
-            "aws:SourceArn" : "arn:aws-us-gov:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/${var.cloudtrail_name}"
+            "aws:SourceArn" : "arn:${var.aws_partition}:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/${var.cloudtrail_name}"
           }
         }
       }
@@ -184,4 +184,4 @@ resource "aws_kms_alias" "key" {
   target_key_id = aws_kms_key.key.id
   name          = "alias/${var.stage}-key"
 
-}
\ No newline at end of file
+}
diff --git a/infrastructure/main.tf b/infrastructure/main.tf
index 575a99b6..26bb2789 100644
--- a/infrastructure/main.tf
+++ b/infrastructure/main.tf
@@ -5,7 +5,7 @@ data "aws_availability_zones" "available" {
 resource "aws_ssm_parameter" "prod_api_domain" {
   name      = "/crossfeed/prod/DOMAIN"
   type      = "String"
-  value     = "api.crossfeed.cyber.dhs.gov"
+  value     = var.api_domain
   overwrite = true
 
   tags = {
@@ -17,7 +17,7 @@ resource "aws_ssm_parameter" "prod_api_domain" {
 resource "aws_ssm_parameter" "stage_api_domain" {
   name      = "/crossfeed/staging/DOMAIN"
   type      = "String"
-  value     = "api.staging.crossfeed.cyber.dhs.gov"
+  value     = var.api_domain
   overwrite = true
 
   tags = {
@@ -75,6 +75,12 @@ resource "aws_s3_bucket_versioning" "logging_bucket" {
   }
 }
 
+resource "aws_s3_bucket_acl" "logging_bucket" {
+  count  = var.is_dmz ? 1 : 0
+  bucket = aws_s3_bucket.logging_bucket.id
+  acl    = "private"
+}
+
 resource "aws_s3_bucket_logging" "logging_bucket" {
   bucket        = aws_s3_bucket.logging_bucket.id
   target_bucket = aws_s3_bucket.logging_bucket.id
diff --git a/infrastructure/matomo.tf b/infrastructure/matomo.tf
index 164ea9df..a91ad07c 100644
--- a/infrastructure/matomo.tf
+++ b/infrastructure/matomo.tf
@@ -133,43 +133,45 @@ resource "aws_ecs_task_definition" "matomo" {
   }
 }
 
-# TODO: Do we need this still?
-# resource "aws_service_discovery_private_dns_namespace" "default" {
-#   name        = "cfs.lz.us-cert.gov"
-#   description = "Crossfeed ${var.stage}"
-#   vpc         = aws_vpc.crossfeed_vpc.id
-# }
-
-# resource "aws_service_discovery_service" "matomo" {
-#   # ECS service can be accessed through http://matomo.cfs.lz.us-cert.gov
-#   name = "matomo"
-
-#   dns_config {
-#     namespace_id = aws_service_discovery_private_dns_namespace.default.id
-
-#     dns_records {
-#       ttl  = 10
-#       type = "A"
-#     }
-
-#     routing_policy = "MULTIVALUE"
-#   }
-# }
-
-# resource "aws_ecs_service" "matomo" {
-#   name            = "matomo"
-#   launch_type     = "FARGATE"
-#   cluster         = aws_ecs_cluster.matomo.id
-#   task_definition = aws_ecs_task_definition.matomo.arn
-#   desired_count   = 1
-#   network_configuration {
-#     subnets         = [aws_subnet.matomo_1.id]
-#     security_groups = [aws_security_group.allow_internal.id]
-#   }
-#   service_registries {
-#     registry_arn = aws_service_discovery_service.matomo.arn
-#   }
-# }
+resource "aws_service_discovery_private_dns_namespace" "default" {
+  count       = var.is_dmz ? 1 : 0
+  name        = "cfs.lz.us-cert.gov"
+  description = "Crossfeed ${var.stage}"
+  vpc         = aws_vpc.crossfeed_vpc[0].id
+}
+
+resource "aws_service_discovery_service" "matomo" {
+  # ECS service can be accessed through http://matomo.cfs.lz.us-cert.gov
+  count = var.is_dmz ? 1 : 0
+  name  = "matomo"
+
+  dns_config {
+    namespace_id = aws_service_discovery_private_dns_namespace.default[0].id
+
+    dns_records {
+      ttl  = 10
+      type = "A"
+    }
+
+    routing_policy = "MULTIVALUE"
+  }
+}
+
+resource "aws_ecs_service" "matomo" {
+  count           = var.is_dmz ? 1 : 0
+  name            = "matomo"
+  launch_type     = "FARGATE"
+  cluster         = aws_ecs_cluster.matomo.id
+  task_definition = aws_ecs_task_definition.matomo.arn
+  desired_count   = 1
+  network_configuration {
+    subnets         = [aws_subnet.matomo_1[0].id]
+    security_groups = [aws_security_group.allow_internal[0].id]
+  }
+  service_registries {
+    registry_arn = aws_service_discovery_service.matomo[0].arn
+  }
+}
 
 resource "aws_cloudwatch_log_group" "matomo" {
   name              = var.matomo_ecs_log_group_name
@@ -196,7 +198,7 @@ resource "aws_db_instance" "matomo_db" {
   engine                              = "mariadb"
   engine_version                      = "10.6"
   skip_final_snapshot                 = true
-  availability_zone                   = data.aws_availability_zones.available.names[0]
+  availability_zone                   = var.matomo_availability_zone
   multi_az                            = true
   backup_retention_period             = 35
   storage_encrypted                   = true
@@ -213,7 +215,7 @@ resource "aws_db_instance" "matomo_db" {
 
   db_subnet_group_name = aws_db_subnet_group.default.name
 
-  vpc_security_group_ids = [aws_security_group.allow_internal.id]
+  vpc_security_group_ids = [var.is_dmz ? aws_security_group.allow_internal[0].id : aws_security_group.allow_internal_lz[0].id]
 
   tags = {
     Project = var.project
diff --git a/infrastructure/pe_worker.tf b/infrastructure/pe_worker.tf
index 0afae126..c00656ed 100644
--- a/infrastructure/pe_worker.tf
+++ b/infrastructure/pe_worker.tf
@@ -1,7 +1,8 @@
 
 # P&E ECR Repository
 resource "aws_ecr_repository" "pe_worker" {
-  name = var.pe_worker_ecs_repository_name
+  count = var.is_dmz ? 1 : 0
+  name  = var.pe_worker_ecs_repository_name
   image_scanning_configuration {
     scan_on_push = true
   }
@@ -20,7 +21,8 @@ resource "aws_ecr_repository" "pe_worker" {
 
 # P&E ECS Cluster
 resource "aws_ecs_cluster" "pe_worker" {
-  name = var.pe_worker_ecs_cluster_name
+  count = var.is_dmz ? 1 : 0
+  name  = var.pe_worker_ecs_cluster_name
 
   setting {
     name  = "containerInsights"
@@ -34,18 +36,20 @@ resource "aws_ecs_cluster" "pe_worker" {
 }
 
 resource "aws_ecs_cluster_capacity_providers" "pe_worker" {
-  cluster_name       = aws_ecs_cluster.pe_worker.name
+  count              = var.is_dmz ? 1 : 0
+  cluster_name       = aws_ecs_cluster.pe_worker[count.index].name
   capacity_providers = ["FARGATE"]
 }
 
 # P&E generic task definition
 resource "aws_ecs_task_definition" "pe_worker" {
+  count                    = var.is_dmz ? 1 : 0
   family                   = var.pe_worker_ecs_task_definition_family
   container_definitions    = <<EOF
 [
   {
     "name": "main",
-    "image": "${aws_ecr_repository.pe_worker.repository_url}:latest",
+    "image": "${aws_ecr_repository.pe_worker[0].repository_url}:latest",
     "essential": true,
     "mountPoints": [],
     "portMappings": [],
@@ -170,6 +174,7 @@ resource "aws_ecs_task_definition" "pe_worker" {
 
 # Create the  log group
 resource "aws_cloudwatch_log_group" "pe_worker" {
+  count             = var.is_dmz ? 1 : 0
   name              = var.pe_worker_ecs_log_group_name
   retention_in_days = 3653
   kms_key_id        = aws_kms_key.key.arn
diff --git a/infrastructure/prod-lz.tfvars b/infrastructure/prod-lz.tfvars
index fef9581d..8b4cdcc0 100644
--- a/infrastructure/prod-lz.tfvars
+++ b/infrastructure/prod-lz.tfvars
@@ -1,5 +1,7 @@
 aws_region                        = "us-gov-east-1"
 aws_other_region                  = "us-gov-west-1"
+aws_partition                     = "aws-us-gov"
+is_dmz                            = false
 project                           = "Crossfeed"
 stage                             = "prod"
 frontend_domain                   = "crossfeed.cyber.dhs.gov"
@@ -74,6 +76,7 @@ ssm_user_pool_id                  = "/crossfeed/prod/USER_POOL_ID"
 ssm_user_pool_client_id           = "/crossfeed/prod/USER_POOL_CLIENT_ID"
 ses_support_email_sender          = "noreply@crossfeed.cyber.dhs.gov"
 ses_support_email_replyto         = "vulnerability@cisa.dhs.gov"
+matomo_availability_zone             = "us-gov-east-1a"
 matomo_ecs_cluster_name           = "crossfeed-matomo-prod"
 matomo_ecs_task_definition_family = "crossfeed-matomo-prod"
 matomo_ecs_log_group_name         = "crossfeed-matomo-prod"
@@ -92,6 +95,8 @@ cloudtrail_name                   = "crossfeed-prod-all-events"
 cloudtrail_bucket_name            = "cisa-crossfeed-prod-cloudtrail"
 cloudtrail_role_name              = "crossfeed-prod-cloudtrail"
 cloudtrail_log_group_name         = "crossfeed-prod-cloudtrail"
+cloudwatch_bucket_name            = "cisa-crossfeed-prod-cloudwatch"
+cloudwatch_log_group_name         = "crossfeed-prod-cloudwatch-bucket"
 es_instance_master_count          = 3
 ssm_vpc_id                        = "/LZ/VPC_ID"
 ssm_vpc_cidr_block                = "/LZ/VPC_CIDR_BLOCK"
diff --git a/infrastructure/prod.config b/infrastructure/prod.config
index e54c88df..fcb8b0ae 100644
--- a/infrastructure/prod.config
+++ b/infrastructure/prod.config
@@ -3,6 +3,6 @@
 
 
 key="PROD/frontend-prod.tfstate"
-bucket="crossfeed-prod-terraform-state"
-region="us-gov-east-1"
-profile="LZ-SystemAdmin-Role-263512260366"
+bucket="cisa-cd-crossfeed-terraform-state-prod"
+region="us-east-1"
+profile="default"
\ No newline at end of file
diff --git a/infrastructure/prod.tfvars b/infrastructure/prod.tfvars
index fef9581d..eb910853 100644
--- a/infrastructure/prod.tfvars
+++ b/infrastructure/prod.tfvars
@@ -1,5 +1,7 @@
 aws_region                        = "us-gov-east-1"
 aws_other_region                  = "us-gov-west-1"
+aws_partition                     = "aws"
+is_dmz                            = true
 project                           = "Crossfeed"
 stage                             = "prod"
 frontend_domain                   = "crossfeed.cyber.dhs.gov"
@@ -74,6 +76,7 @@ ssm_user_pool_id                  = "/crossfeed/prod/USER_POOL_ID"
 ssm_user_pool_client_id           = "/crossfeed/prod/USER_POOL_CLIENT_ID"
 ses_support_email_sender          = "noreply@crossfeed.cyber.dhs.gov"
 ses_support_email_replyto         = "vulnerability@cisa.dhs.gov"
+matomo_availability_zone             = "us-east-1a"
 matomo_ecs_cluster_name           = "crossfeed-matomo-prod"
 matomo_ecs_task_definition_family = "crossfeed-matomo-prod"
 matomo_ecs_log_group_name         = "crossfeed-matomo-prod"
@@ -93,15 +96,3 @@ cloudtrail_bucket_name            = "cisa-crossfeed-prod-cloudtrail"
 cloudtrail_role_name              = "crossfeed-prod-cloudtrail"
 cloudtrail_log_group_name         = "crossfeed-prod-cloudtrail"
 es_instance_master_count          = 3
-ssm_vpc_id                        = "/LZ/VPC_ID"
-ssm_vpc_cidr_block                = "/LZ/VPC_CIDR_BLOCK"
-ssm_route_table_endpoints_id      = "/LZ/ROUTE_TABLE_ENDPOINTS_ID"
-ssm_route_table_private_A_id      = "/LZ/ROUTE_TABLE_PRIVATE_A_ID"
-ssm_route_table_private_B_id      = "/LZ/ROUTE_TABLE_PRIVATE_B_ID"
-ssm_route_table_private_C_id      = "/LZ/ROUTE_TABLE_PRIVATE_C_ID"
-ssm_subnet_backend_id             = "/LZ/SUBNET_ENDPOINT_A_ID"
-ssm_subnet_worker_id              = "/LZ/SUBNET_ENDPOINT_B_ID"
-ssm_subnet_matomo_id              = "/LZ/SUBNET_ENDPOINT_C_ID"
-ssm_subnet_db_1_id                = "/LZ/SUBNET_PRIVATE_A_ID"
-ssm_subnet_db_2_id                = "/LZ/SUBNET_PRIVATE_B_ID"
-ssm_subnet_es_id                  = "/LZ/SUBNET_PRIVATE_C_ID"
diff --git a/infrastructure/provider.tf b/infrastructure/provider.tf
index 59eb7016..16a142fd 100644
--- a/infrastructure/provider.tf
+++ b/infrastructure/provider.tf
@@ -10,6 +10,7 @@ terraform {
 }
 
 provider "aws" {
+  alias                    = "main"
   region                   = var.aws_region
   shared_credentials_files = ["$HOME/.aws/credentials"]
 }
diff --git a/infrastructure/stage-lz.tfvars b/infrastructure/stage-lz.tfvars
index f21d03d5..a90edede 100644
--- a/infrastructure/stage-lz.tfvars
+++ b/infrastructure/stage-lz.tfvars
@@ -1,100 +1,111 @@
-aws_region                           = "us-east-1"
-project                              = "Crossfeed"
-stage                                = "staging"
-frontend_domain                      = "staging-cd.crossfeed.cyber.dhs.gov"
-frontend_lambda_function             = "crossfeed-security-headers-staging"
-frontend_bucket                      = "staging.crossfeed.cyber.dhs.gov"
-api_domain                           = "api.staging-cd.crossfeed.cyber.dhs.gov"
-frontend_cert_arn                    = "arn:aws:acm:us-east-1:957221700844:certificate/a0f51e21-3b90-43c5-b2e7-b99e1897429d"
-db_name                              = "crossfeed-stage-db"
-db_port                              = 5432
-db_table_name                        = "cfstagingdb"
-db_instance_class                    = "db.t3.2xlarge"
-log_metric_namespace                 = "LogMetrics"
-log_metric_root_user                 = "crossfeed-staging-RootUserAccess"
-log_metric_api_error_rate            = "crossfeed-staging-APIErrorRate"
-log_metric_unauthorized_api_call     = "crossfeed-staging-UnauthorizedApiCall"
-log_metric_login_without_mfa         = "crossfeed-staging-ConsoleSignInWithoutMFA"
-log_metric_iam_policy                = "crossfeed-staging-IAMPolicyChange"
-log_metric_cloudtrail                = "crossfeed-staging-CloudTrailConfigurationChanges"
-log_metric_login_failure             = "crossfeed-staging-ConsoleLoginFailure"
-log_metric_cmk_delete_disable        = "crossfeed-staging-DisablingOrScheduledDeletionOfCMK"
-log_metric_s3_bucket_policy          = "crossfeed-staging-S3BucketPolicyChanges"
-log_metric_aws_config                = "crossfeed-staging-AWSConfigConfigurationChange"
-log_metric_security_group            = "crossfeed-staging-SecurityGroupChange"
-log_metric_nacl                      = "crossfeed-staging-NACLChange"
-log_metric_network_gateway           = "crossfeed-staging-NetworkGatewayChange"
-log_metric_route_table               = "crossfeed-staging-RouteTableChange"
-log_metric_vpc                       = "crossfeed-staging-VPCChange"
-log_metric_ec2_shutdown              = "crossfeed-staging-EC2Shutdown"
-log_metric_db_shutdown               = "crossfeed-staging-DBShutdown"
-log_metric_db_deletion               = "crossfeed-staging-DBDeletion"
-sns_topic_alarms                     = "crossfeed-staging-cis-alarms"
-ssm_lambda_subnet                    = "/crossfeed/staging/SUBNET_ID"
-ssm_lambda_sg                        = "/crossfeed/staging/SG_ID"
-ssm_worker_subnet                    = "/crossfeed/staging/WORKER_SUBNET_ID"
-ssm_worker_sg                        = "/crossfeed/staging/WORKER_SG_ID"
-ssm_worker_arn                       = "/crossfeed/staging/WORKER_CLUSTER_ARN"
-ssm_db_name                          = "/crossfeed/staging/DATABASE_NAME"
-ssm_db_host                          = "/crossfeed/staging/DATABASE_HOST"
-ssm_db_username                      = "/crossfeed/staging/DATABASE_USER"
-ssm_db_password                      = "/crossfeed/staging/DATABASE_PASSWORD"
-ssm_pe_db_name                       = "/crossfeed/staging/PE_DB_NAME"
-ssm_pe_db_username                   = "/crossfeed/staging/PE_DB_USERNAME"
-ssm_pe_db_password                   = "/crossfeed/staging/PE_DB_PASSWORD"
-ssm_matomo_db_password               = "/crossfeed/staging/MATOMO_DATABASE_PASSWORD"
-ssm_worker_signature_public_key      = "/crossfeed/staging/WORKER_SIGNATURE_PUBLIC_KEY"
-ssm_worker_signature_private_key     = "/crossfeed/staging/WORKER_SIGNATURE_PRIVATE_KEY"
-ssm_censys_api_id                    = "/crossfeed/staging/CENSYS_API_ID"
-ssm_censys_api_secret                = "/crossfeed/staging/CENSYS_API_SECRET"
-ssm_shodan_api_key                   = "/crossfeed/staging/SHODAN_API_KEY"
-ssm_hibp_api_key                     = "/crossfeed/staging/HIBP_API_KEY"
-ssm_pe_shodan_api_keys               = "/crossfeed/staging/PE_SHODAN_API_KEYS"
-ssm_sixgill_client_id                = "/crossfeed/staging/SIXGILL_CLIENT_ID"
-ssm_sixgill_client_secret            = "/crossfeed/staging/SIXGILL_CLIENT_SECRET"
-ssm_intelx_api_key                   = "/crossfeed/staging/INTELX_API_KEY"
-ssm_lg_api_key                       = "/crossfeed/staging/LG_API_KEY"
-ssm_lg_workspace_name                = "/crossfeed/staging/LG_WORKSPACE_NAME"
-ssm_pe_api_key                       = "/crossfeed/staging/PE_API_KEY"
-ssm_cf_api_key                       = "/crossfeed/staging/CF_API_KEY"
-db_group_name                        = "crossfeed-staging-db-group"
-worker_ecs_repository_name           = "crossfeed-staging-worker"
-worker_ecs_cluster_name              = "crossfeed-staging-worker"
-worker_ecs_task_definition_family    = "crossfeed-staging-worker"
-worker_ecs_log_group_name            = "crossfeed-staging-worker"
-worker_ecs_role_name                 = "crossfeed-staging-worker"
-pe_worker_ecs_repository_name        = "pe-staging-worker"
-pe_worker_ecs_cluster_name           = "pe-staging-worker"
-pe_worker_ecs_task_definition_family = "pe-staging-worker"
-pe_worker_ecs_log_group_name         = "pe-staging-worker"
-pe_worker_ecs_role_name              = "pe-staging-worker"
-pe_cybersixgill_ecs_service_name     = "pe-staging-cybersixgill"
-logging_bucket_name                  = "cisa-crossfeed-staging-logging"
-cloudtrail_name                      = "crossfeed-staging-all-events"
-cloudtrail_bucket_name               = "cisa-crossfeed-staging-cloudtrail"
-cloudtrail_role_name                 = "cisa-crossfeed-staging-cloudtrail"
-cloudtrail_log_group_name            = "cisa-crossfeed-staging-cloudtrail"
-cloudwatch_bucket_name               = "cisa-crossfeed-staging-cloudwatch"
-cloudwatch_log_group_name            = "crossfeed-staging-cloudwatch-bucket"
-export_bucket_name                   = "cisa-crossfeed-staging-exports"
-reports_bucket_name                  = "cisa-crossfeed-staging-reports"
-pe_db_backups_bucket_name            = "cisa-crossfeed-staging-pe-db-backups"
-user_pool_name                       = "crossfeed-staging"
-user_pool_domain                     = "crossfeed-staging"
-ssm_user_pool_id                     = "/crossfeed/staging/USER_POOL_ID"
-ssm_user_pool_client_id              = "/crossfeed/staging/USER_POOL_CLIENT_ID"
-ses_support_email_sender             = "noreply@staging.crossfeed.cyber.dhs.gov"
-ses_support_email_replyto            = "vulnerability@cisa.dhs.gov"
-matomo_ecs_cluster_name              = "crossfeed-matomo-staging"
-matomo_ecs_task_definition_family    = "crossfeed-matomo-staging"
-matomo_ecs_log_group_name            = "crossfeed-matomo-staging"
-matomo_db_name                       = "crossfeed-matomo-staging"
-matomo_db_instance_class             = "db.t3.small"
-matomo_ecs_role_name                 = "crossfeed-matomo-staging"
-es_instance_type                     = "t3.small.elasticsearch"
-es_instance_count                    = 1
-es_instance_volume_size              = 100
-create_db_accessor_instance          = true
-db_accessor_instance_class           = "m5.4xlarge"
-create_elk_instance                  = true
-elk_instance_class                   = "t3.2xlarge"
+aws_region                        = "us-east-1"
+aws_partition                     = "aws-us-gov"
+is_dmz                            = false
+project                           = "Crossfeed"
+stage                             = "staging"
+frontend_domain                   = "staging.crossfeed.cyber.dhs.gov"
+frontend_lambda_function          = "crossfeed-security-headers-staging"
+frontend_bucket                   = "staging.crossfeed.cyber.dhs.gov"
+api_domain                        = "api.staging.crossfeed.cyber.dhs.gov"
+db_name                           = "crossfeed-stage-db"
+db_port                           = 5432
+db_table_name                     = "cfstagingdb"
+db_instance_class                 = "db.m5.xlarge"
+log_metric_namespace              = "LogMetrics"
+log_metric_root_user              = "crossfeed-staging-RootUserAccess"
+log_metric_api_error_rate         = "crossfeed-staging-APIErrorRate"
+log_metric_unauthorized_api_call  = "crossfeed-staging-UnauthorizedApiCall"
+log_metric_login_without_mfa      = "crossfeed-staging-ConsoleSignInWithoutMFA"
+log_metric_iam_policy             = "crossfeed-staging-IAMPolicyChange"
+log_metric_cloudtrail             = "crossfeed-staging-CloudTrailConfigurationChanges"
+log_metric_login_failure          = "crossfeed-staging-ConsoleLoginFailure"
+log_metric_cmk_delete_disable     = "crossfeed-staging-DisablingOrScheduledDeletionOfCMK"
+log_metric_s3_bucket_policy       = "crossfeed-staging-S3BucketPolicyChanges"
+log_metric_aws_config             = "crossfeed-staging-AWSConfigConfigurationChange"
+log_metric_security_group         = "crossfeed-staging-SecurityGroupChange"
+log_metric_nacl                   = "crossfeed-staging-NACLChange"
+log_metric_network_gateway        = "crossfeed-staging-NetworkGatewayChange"
+log_metric_route_table            = "crossfeed-staging-RouteTableChange"
+log_metric_vpc                    = "crossfeed-staging-VPCChange"
+log_metric_ec2_shutdown           = "crossfeed-staging-EC2Shutdown"
+log_metric_db_shutdown            = "crossfeed-staging-DBShutdown"
+log_metric_db_deletion            = "crossfeed-staging-DBDeletion"
+sns_topic_alarms                  = "crossfeed-staging-cis-alarms"
+ssm_crossfeed_vpc_name            = "/crossfeed/staging/VPC_NAME"
+ssm_lambda_subnet                 = "/crossfeed/staging/SUBNET_ID"
+ssm_lambda_sg                     = "/crossfeed/staging/SG_ID"
+ssm_worker_subnet                 = "/crossfeed/staging/WORKER_SUBNET_ID"
+ssm_worker_sg                     = "/crossfeed/staging/WORKER_SG_ID"
+ssm_worker_arn                    = "/crossfeed/staging/WORKER_CLUSTER_ARN"
+ssm_db_name                       = "/crossfeed/staging/DATABASE_NAME"
+ssm_db_host                       = "/crossfeed/staging/DATABASE_HOST"
+ssm_db_username                   = "/crossfeed/staging/DATABASE_USER"
+ssm_db_password                   = "/crossfeed/staging/DATABASE_PASSWORD"
+ssm_pe_db_name                    = "/crossfeed/staging/PE_DB_NAME"
+ssm_pe_db_username                = "/crossfeed/staging/PE_DB_USERNAME"
+ssm_pe_db_password                = "/crossfeed/staging/PE_DB_PASSWORD"
+ssm_matomo_db_password            = "/crossfeed/staging/MATOMO_DATABASE_PASSWORD"
+ssm_worker_signature_public_key   = "/crossfeed/staging/WORKER_SIGNATURE_PUBLIC_KEY"
+ssm_worker_signature_private_key  = "/crossfeed/staging/WORKER_SIGNATURE_PRIVATE_KEY"
+ssm_censys_api_id                 = "/crossfeed/staging/CENSYS_API_ID"
+ssm_censys_api_secret             = "/crossfeed/staging/CENSYS_API_SECRET"
+ssm_shodan_api_key                = "/crossfeed/staging/SHODAN_API_KEY"
+ssm_hibp_api_key                  = "/crossfeed/staging/HIBP_API_KEY"
+ssm_pe_shodan_api_keys            = "/crossfeed/staging/PE_SHODAN_API_KEYS"
+ssm_sixgill_client_id             = "/crossfeed/staging/SIXGILL_CLIENT_ID"
+ssm_sixgill_client_secret         = "/crossfeed/staging/SIXGILL_CLIENT_SECRET"
+ssm_lg_api_key                    = "/crossfeed/staging/LG_API_KEY"
+ssm_lg_workspace_name             = "/crossfeed/staging/LG_WORKSPACE_NAME"
+ssm_https_proxy                   = "/crossfeed/staging/HTTPS_PROXY"
+ssm_ses_email_identity_arn        = "/crossfeed/staging/SES_EMAIL_IDENTITY_ARN"
+ssm_worker_kms_keys               = "/crossfeed/staging/WORKER_KMS_KEYS"
+db_group_name                     = "crossfeed-staging-db-group"
+worker_ecs_repository_name        = "crossfeed-staging-worker"
+worker_ecs_cluster_name           = "crossfeed-staging-worker"
+worker_ecs_task_definition_family = "crossfeed-staging-worker"
+worker_ecs_log_group_name         = "crossfeed-staging-worker"
+worker_ecs_role_name              = "crossfeed-staging-worker"
+logging_bucket_name               = "cisa-crossfeed-staging-logging"
+export_bucket_name                = "cisa-crossfeed-staging-exports"
+reports_bucket_name               = "cisa-crossfeed-staging-reports"
+pe_db_backups_bucket_name         = "cisa-crossfeed-staging-pe-db-backups"
+user_pool_name                    = "crossfeed-staging"
+user_pool_domain                  = "crossfeed-staging"
+ssm_user_pool_id                  = "/crossfeed/staging/USER_POOL_ID"
+ssm_user_pool_client_id           = "/crossfeed/staging/USER_POOL_CLIENT_ID"
+ses_support_email_sender          = "noreply@staging.crossfeed.cyber.dhs.gov"
+ses_support_email_replyto         = "vulnerability@cisa.dhs.gov"
+matomo_availability_zone             = "us-gov-east-1b"
+matomo_ecs_cluster_name           = "crossfeed-matomo-staging"
+matomo_ecs_task_definition_family = "crossfeed-matomo-staging"
+matomo_ecs_log_group_name         = "crossfeed-matomo-staging"
+matomo_db_name                    = "crossfeed-matomo-staging"
+matomo_db_instance_class          = "db.m5.xlarge"
+matomo_ecs_role_name              = "crossfeed-matomo-staging"
+es_instance_type                  = "t3.small.elasticsearch"
+es_instance_count                 = 3
+es_instance_volume_size           = 100
+create_db_accessor_instance       = true
+db_accessor_instance_class        = "t3.2xlarge"
+create_elk_instance               = true
+elk_instance_class                = "t3.2xlarge"
+ami_id                            = "ami-0a1445a13e666a557"
+cloudtrail_name                   = "crossfeed-staging-all-events"
+cloudtrail_bucket_name            = "cisa-crossfeed-staging-cloudtrail"
+cloudtrail_role_name              = "crossfeed-staging-cloudtrail"
+cloudtrail_log_group_name         = "crossfeed-staging-cloudtrail"
+cloudwatch_bucket_name            = "cisa-crossfeed-staging-cloudwatch"
+cloudwatch_log_group_name         = "crossfeed-staging-cloudwatch-bucket"
+es_instance_master_count          = 3
+ssm_vpc_id                        = "/LZ/VPC_ID"
+ssm_vpc_cidr_block                = "/LZ/VPC_CIDR_BLOCK"
+ssm_route_table_endpoints_id      = "/LZ/ROUTE_TABLE_ENDPOINTS_ID"
+ssm_route_table_private_A_id      = "/LZ/ROUTE_TABLE_PRIVATE_A_ID"
+ssm_route_table_private_B_id      = "/LZ/ROUTE_TABLE_PRIVATE_B_ID"
+ssm_route_table_private_C_id      = "/LZ/ROUTE_TABLE_PRIVATE_C_ID"
+ssm_subnet_backend_id             = "/LZ/SUBNET_ENDPOINT_A_ID"
+ssm_subnet_worker_id              = "/LZ/SUBNET_ENDPOINT_B_ID"
+ssm_subnet_matomo_id              = "/LZ/SUBNET_ENDPOINT_C_ID"
+ssm_subnet_db_1_id                = "/LZ/SUBNET_PRIVATE_A_ID"
+ssm_subnet_db_2_id                = "/LZ/SUBNET_PRIVATE_B_ID"
+ssm_subnet_es_id                  = "/LZ/SUBNET_PRIVATE_C_ID"
\ No newline at end of file
diff --git a/infrastructure/stage.tfvars b/infrastructure/stage.tfvars
index f21d03d5..7d814680 100644
--- a/infrastructure/stage.tfvars
+++ b/infrastructure/stage.tfvars
@@ -1,4 +1,6 @@
 aws_region                           = "us-east-1"
+aws_partition                        = "aws"
+is_dmz                               = true
 project                              = "Crossfeed"
 stage                                = "staging"
 frontend_domain                      = "staging-cd.crossfeed.cyber.dhs.gov"
@@ -85,6 +87,7 @@ ssm_user_pool_id                     = "/crossfeed/staging/USER_POOL_ID"
 ssm_user_pool_client_id              = "/crossfeed/staging/USER_POOL_CLIENT_ID"
 ses_support_email_sender             = "noreply@staging.crossfeed.cyber.dhs.gov"
 ses_support_email_replyto            = "vulnerability@cisa.dhs.gov"
+matomo_availability_zone             = "us-east-1a"
 matomo_ecs_cluster_name              = "crossfeed-matomo-staging"
 matomo_ecs_task_definition_family    = "crossfeed-matomo-staging"
 matomo_ecs_log_group_name            = "crossfeed-matomo-staging"
@@ -98,3 +101,4 @@ create_db_accessor_instance          = true
 db_accessor_instance_class           = "m5.4xlarge"
 create_elk_instance                  = true
 elk_instance_class                   = "t3.2xlarge"
+es_instance_master_count             = 3
diff --git a/infrastructure/users.tf b/infrastructure/users.tf
index 8df4a80e..582240f4 100644
--- a/infrastructure/users.tf
+++ b/infrastructure/users.tf
@@ -1,6 +1,37 @@
 data "aws_ssm_parameter" "ses_email_identity_arn" { name = var.ssm_ses_email_identity_arn }
 
 resource "aws_cognito_user_pool" "pool" {
+  count                    = var.is_dmz ? 1 : 0
+  name                     = var.user_pool_name
+  mfa_configuration        = "ON"
+  username_attributes      = ["email"]
+  auto_verified_attributes = ["email"]
+
+  software_token_mfa_configuration {
+    enabled = true
+  }
+  email_configuration {
+    email_sending_account  = "DEVELOPER"
+    from_email_address     = "noreply@${var.frontend_domain}"
+    reply_to_email_address = "vulnerability@cisa.dhs.gov"
+    source_arn             = aws_ses_email_identity.default[0].arn
+  }
+
+
+  # Users can recover their accounts by verifying their email address (required mechanism)
+  verification_message_template {
+    email_subject = "Crossfeed verification code"
+    email_message = "Your verification code is {####}. Please enter this code in when logging into Crossfeed to complete your account setup."
+  }
+
+  tags = {
+    Project = var.project
+    Owner   = "Crossfeed managed resource"
+  }
+}
+
+resource "aws_cognito_user_pool" "lz_pool" {
+  count                    = var.is_dmz ? 0 : 1
   provider                 = aws.other
   name                     = var.user_pool_name
   mfa_configuration        = "ON"
@@ -37,16 +68,42 @@ resource "aws_cognito_user_pool" "pool" {
   }
 }
 
+resource "aws_ses_email_identity" "default" {
+  count = var.is_dmz ? 1 : 0
+  email = var.ses_support_email_sender
+}
+
 resource "aws_cognito_user_pool_domain" "auth_domain" {
+  count        = var.is_dmz ? 1 : 0
+  domain       = var.user_pool_domain
+  user_pool_id = aws_cognito_user_pool.pool[0].id
+}
+
+resource "aws_cognito_user_pool_domain" "auth_domain_lz" {
+  count        = var.is_dmz ? 0 : 1
   provider     = aws.other
   domain       = var.user_pool_domain
-  user_pool_id = aws_cognito_user_pool.pool.id
+  user_pool_id = aws_cognito_user_pool.lz_pool[0].id
 }
 
 resource "aws_cognito_user_pool_client" "client" {
+  count                                = var.is_dmz ? 1 : 0
+  name                                 = "crossfeed"
+  user_pool_id                         = aws_cognito_user_pool.pool[0].id
+  callback_urls                        = ["http://localhost"]
+  supported_identity_providers         = ["COGNITO"]
+  allowed_oauth_scopes                 = ["email", "openid"]
+  allowed_oauth_flows                  = ["code"]
+  explicit_auth_flows                  = ["ALLOW_CUSTOM_AUTH", "ALLOW_REFRESH_TOKEN_AUTH", "ALLOW_USER_SRP_AUTH"]
+  allowed_oauth_flows_user_pool_client = true
+  prevent_user_existence_errors        = "ENABLED"
+}
+
+resource "aws_cognito_user_pool_client" "client_lz" {
+  count                                = var.is_dmz ? 0 : 1
   provider                             = aws.other
   name                                 = "crossfeed"
-  user_pool_id                         = aws_cognito_user_pool.pool.id
+  user_pool_id                         = aws_cognito_user_pool.lz_pool[0].id
   callback_urls                        = ["http://localhost"]
   supported_identity_providers         = ["COGNITO"]
   allowed_oauth_scopes                 = ["email", "openid"]
@@ -57,9 +114,10 @@ resource "aws_cognito_user_pool_client" "client" {
 }
 
 resource "aws_ssm_parameter" "user_pool_id" {
+  count     = var.is_dmz ? 1 : 0
   name      = var.ssm_user_pool_id
   type      = "String"
-  value     = aws_cognito_user_pool.pool.id
+  value     = aws_cognito_user_pool.pool[0].id
   overwrite = true
 
   tags = {
@@ -69,9 +127,36 @@ resource "aws_ssm_parameter" "user_pool_id" {
 }
 
 resource "aws_ssm_parameter" "user_pool_client_id" {
+  count     = var.is_dmz ? 1 : 0
+  name      = var.ssm_user_pool_client_id
+  type      = "String"
+  value     = aws_cognito_user_pool_client.client[0].id
+  overwrite = true
+
+  tags = {
+    Project = var.project
+    Owner   = "Crossfeed managed resource"
+  }
+}
+
+resource "aws_ssm_parameter" "user_pool_id_lz" {
+  count     = var.is_dmz ? 0 : 1
+  name      = var.ssm_user_pool_id
+  type      = "String"
+  value     = aws_cognito_user_pool.lz_pool[0].id
+  overwrite = true
+
+  tags = {
+    Project = var.project
+    Owner   = "Crossfeed managed resource"
+  }
+}
+
+resource "aws_ssm_parameter" "user_pool_client_id_lz" {
+  count     = var.is_dmz ? 0 : 1
   name      = var.ssm_user_pool_client_id
   type      = "String"
-  value     = aws_cognito_user_pool_client.client.id
+  value     = aws_cognito_user_pool_client.client_lz[0].id
   overwrite = true
 
   tags = {
diff --git a/infrastructure/vars.tf b/infrastructure/vars.tf
index cfad62a0..8015a583 100644
--- a/infrastructure/vars.tf
+++ b/infrastructure/vars.tf
@@ -10,6 +10,18 @@ variable "aws_other_region" {
   default     = "us-gov-west-1"
 }
 
+variable "aws_partition" {
+  description = "aws_partition"
+  type        = string
+  default     = "aws"
+}
+
+variable "is_dmz" {
+  description = "is_dmz"
+  type        = bool
+  default     = false
+}
+
 variable "project" {
   description = "project"
   type        = string
@@ -668,3 +680,69 @@ variable "ssm_worker_kms_keys" {
   type        = string
   default     = "/crossfeed/staging/WORKER_KMS_KEYS"
 }
+
+variable "ssm_intelx_api_key" {
+  description = "ssm_intelx_api_key"
+  type        = string
+  default     = "/crossfeed/staging/INTELX_API_KEY"
+}
+
+variable "ssm_pe_api_key" {
+  description = "ssm_pe_api_key"
+  type        = string
+  default     = "/crossfeed/staging/PE_API_KEY"
+}
+
+variable "ssm_cf_api_key" {
+  description = "ssm_cf_api_key"
+  type        = string
+  default     = "/crossfeed/staging/CF_API_KEY"
+}
+
+variable "cloudwatch_bucket_name" {
+  description = "cloudwatch_bucket_name"
+  type        = string
+  default     = "cisa-crossfeed-staging-cloudwatch"
+}
+
+variable "cloudwatch_log_group_name" {
+  description = "cloudwatch_log_group_name"
+  type        = string
+  default     = "crossfeed-staging-cloudwatch-bucket"
+}
+
+variable "pe_worker_ecs_repository_name" {
+  description = "pe_worker_ecs_repository_name"
+  type        = string
+  default     = "pe-staging-worker"
+}
+
+variable "pe_worker_ecs_cluster_name" {
+  description = "pe_worker_ecs_cluster_name"
+  type        = string
+  default     = "pe-staging-worker"
+}
+
+variable "pe_worker_ecs_task_definition_family" {
+  description = "pe_worker_ecs_task_definition_family"
+  type        = string
+  default     = "pe-staging-worker"
+}
+
+variable "pe_worker_ecs_log_group_name" {
+  description = "pe_worker_ecs_log_group_name"
+  type        = string
+  default     = "pe-staging-worker"
+}
+
+variable "pe_worker_ecs_role_name" {
+  description = "pe_worker_ecs_role_name"
+  type        = string
+  default     = "pe-staging-worker"
+}
+
+variable "matomo_availability_zone" {
+  description = "matomo_availability_zone"
+  type        = string
+  default     = "us-east-1"
+}
\ No newline at end of file
diff --git a/infrastructure/vpc-dmz.tf b/infrastructure/vpc-dmz.tf
new file mode 100644
index 00000000..f0d08ea2
--- /dev/null
+++ b/infrastructure/vpc-dmz.tf
@@ -0,0 +1,243 @@
+resource "aws_vpc" "crossfeed_vpc" {
+  count                = var.is_dmz ? 1 : 0
+  cidr_block           = "10.0.0.0/16"
+  enable_dns_support   = true
+  enable_dns_hostnames = true
+  tags = {
+    Project = var.project
+  }
+}
+
+resource "aws_subnet" "db_1" {
+  count             = var.is_dmz ? 1 : 0
+  availability_zone = data.aws_availability_zones.available.names[0]
+  vpc_id            = aws_vpc.crossfeed_vpc[count.index].id
+  cidr_block        = "10.0.1.0/28"
+
+  tags = {
+    Project = var.project
+  }
+}
+
+resource "aws_subnet" "db_2" {
+  count             = var.is_dmz ? 1 : 0
+  availability_zone = data.aws_availability_zones.available.names[1]
+  vpc_id            = aws_vpc.crossfeed_vpc[count.index].id
+  cidr_block        = "10.0.1.16/28"
+
+  tags = {
+    Project = var.project
+  }
+}
+
+resource "aws_subnet" "backend" {
+  count             = var.is_dmz ? 1 : 0
+  availability_zone = data.aws_availability_zones.available.names[1]
+  vpc_id            = aws_vpc.crossfeed_vpc[count.index].id
+  cidr_block        = "10.0.2.0/24"
+
+  tags = {
+    Project = var.project
+  }
+}
+
+resource "aws_subnet" "worker" {
+  count             = var.is_dmz ? 1 : 0
+  availability_zone = data.aws_availability_zones.available.names[1]
+  vpc_id            = aws_vpc.crossfeed_vpc[count.index].id
+  cidr_block        = "10.0.3.0/24"
+
+  tags = {
+    Project = var.project
+    Stage   = var.stage
+  }
+}
+
+resource "aws_subnet" "es_1" {
+  count             = var.is_dmz ? 1 : 0
+  availability_zone = data.aws_availability_zones.available.names[0]
+  vpc_id            = aws_vpc.crossfeed_vpc[count.index].id
+  cidr_block        = "10.0.4.0/28"
+
+  tags = {
+    Project = var.project
+  }
+}
+
+resource "aws_subnet" "matomo_1" {
+  count             = var.is_dmz ? 1 : 0
+  availability_zone = data.aws_availability_zones.available.names[0]
+  vpc_id            = aws_vpc.crossfeed_vpc[count.index].id
+  cidr_block        = "10.0.5.0/28"
+
+  tags = {
+    Project = var.project
+  }
+}
+
+resource "aws_route_table" "r" {
+  count  = var.is_dmz ? 1 : 0
+  vpc_id = aws_vpc.crossfeed_vpc[count.index].id
+
+  tags = {
+    Project = var.project
+    Stage   = var.stage
+  }
+}
+
+resource "aws_route_table" "r2" {
+  count  = var.is_dmz ? 1 : 0
+  vpc_id = aws_vpc.crossfeed_vpc[count.index].id
+
+  route {
+    nat_gateway_id = aws_nat_gateway.nat[count.index].id
+    cidr_block     = "0.0.0.0/0"
+  }
+
+  tags = {
+    Project = var.project
+    Stage   = var.stage
+  }
+}
+
+resource "aws_route_table" "worker" {
+  count  = var.is_dmz ? 1 : 0
+  vpc_id = aws_vpc.crossfeed_vpc[count.index].id
+
+  route {
+    gateway_id = aws_internet_gateway.gw[count.index].id
+    cidr_block = "0.0.0.0/0"
+  }
+
+  tags = {
+    Project = var.project
+    Stage   = var.stage
+  }
+}
+
+resource "aws_route_table_association" "r_assoc_db_1" {
+  count          = var.is_dmz ? 1 : 0
+  route_table_id = aws_route_table.r[count.index].id
+  subnet_id      = aws_subnet.db_1[count.index].id
+}
+
+resource "aws_route_table_association" "r_assoc_db_2" {
+  count          = var.is_dmz ? 1 : 0
+  route_table_id = aws_route_table.r[count.index].id
+  subnet_id      = aws_subnet.db_2[count.index].id
+}
+
+resource "aws_route_table_association" "r_assoc_backend" {
+  count          = var.is_dmz ? 1 : 0
+  route_table_id = aws_route_table.r2[count.index].id
+  subnet_id      = aws_subnet.backend[count.index].id
+}
+
+resource "aws_route_table_association" "r_assoc_matomo" {
+  count          = var.is_dmz ? 1 : 0
+  route_table_id = aws_route_table.r2[count.index].id
+  subnet_id      = aws_subnet.matomo_1[count.index].id
+}
+
+resource "aws_route_table_association" "r_assoc_worker" {
+  count          = var.is_dmz ? 1 : 0
+  route_table_id = aws_route_table.worker[count.index].id
+  subnet_id      = aws_subnet.worker[count.index].id
+}
+
+resource "aws_internet_gateway" "gw" {
+  count  = var.is_dmz ? 1 : 0
+  vpc_id = aws_vpc.crossfeed_vpc[count.index].id
+
+  tags = {
+    Project = var.project
+  }
+}
+
+resource "aws_eip" "nat_eip" {
+  count = var.is_dmz ? 1 : 0
+  tags = {
+    Project = var.project
+    Stage   = var.stage
+  }
+}
+
+resource "aws_nat_gateway" "nat" {
+  count         = var.is_dmz ? 1 : 0
+  allocation_id = aws_eip.nat_eip[count.index].id
+  subnet_id     = aws_subnet.worker[count.index].id
+
+  tags = {
+    Project = var.project
+    Stage   = var.stage
+  }
+}
+
+resource "aws_security_group" "allow_internal" {
+  count       = var.is_dmz ? 1 : 0
+  name        = "allow-internal"
+  description = "Allow All VPC Internal Traffic"
+  vpc_id      = aws_vpc.crossfeed_vpc[count.index].id
+
+  ingress {
+    description = "All Lambda Subnet"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = [aws_vpc.crossfeed_vpc[count.index].id]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Project = var.project
+    Stage   = var.stage
+  }
+}
+
+# TODO: remove this security group. We can't remove it right now because
+# AWS created an ENI in this security group that can't be deleted at the moment.
+# See https://www.reddit.com/r/aws/comments/4fncrl/dangling_enis_after_deleting_an_invpc_lambda_with/
+resource "aws_security_group" "backend" {
+  count       = var.is_dmz ? 1 : 0
+  name        = "backend"
+  description = "Backend"
+  vpc_id      = aws_vpc.crossfeed_vpc[count.index].id
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = [aws_vpc.crossfeed_vpc[count.index].id]
+  }
+
+  tags = {
+    Project = var.project
+    Stage   = var.stage
+  }
+}
+
+
+resource "aws_security_group" "worker" {
+  count       = var.is_dmz ? 1 : 0
+  name        = "worker"
+  description = "Worker"
+  vpc_id      = aws_vpc.crossfeed_vpc[count.index].id
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Project = var.project
+    Stage   = var.stage
+  }
+}
diff --git a/infrastructure/vpc-lz.tf b/infrastructure/vpc-lz.tf
new file mode 100644
index 00000000..fdd10fe5
--- /dev/null
+++ b/infrastructure/vpc-lz.tf
@@ -0,0 +1,154 @@
+data "aws_ssm_parameter" "vpc_name" {
+  count = var.is_dmz ? 0 : 1
+  name  = var.ssm_crossfeed_vpc_name
+}
+
+data "aws_ssm_parameter" "vpc_id" {
+  count = var.is_dmz ? 0 : 1
+  name  = var.ssm_vpc_id
+}
+data "aws_ssm_parameter" "vpc_cidr_block" {
+  count = var.is_dmz ? 0 : 1
+  name  = var.ssm_vpc_cidr_block
+}
+data "aws_ssm_parameter" "route_table_endpoints_id" {
+  count = var.is_dmz ? 0 : 1
+  name  = var.ssm_route_table_endpoints_id
+}
+data "aws_ssm_parameter" "route_table_private_A_id" {
+  count = var.is_dmz ? 0 : 1
+  name  = var.ssm_route_table_private_A_id
+}
+data "aws_ssm_parameter" "route_table_private_B_id" {
+  count = var.is_dmz ? 0 : 1
+  name  = var.ssm_route_table_private_B_id
+}
+data "aws_ssm_parameter" "route_table_private_C_id" {
+  count = var.is_dmz ? 0 : 1
+  name  = var.ssm_route_table_private_C_id
+}
+data "aws_ssm_parameter" "subnet_backend_id" {
+  count = var.is_dmz ? 0 : 1
+  name  = var.ssm_subnet_backend_id
+}
+data "aws_ssm_parameter" "subnet_worker_id" {
+  count = var.is_dmz ? 0 : 1
+  name  = var.ssm_subnet_worker_id
+}
+data "aws_ssm_parameter" "subnet_matomo_id" {
+  count = var.is_dmz ? 0 : 1
+  name  = var.ssm_subnet_matomo_id
+}
+data "aws_ssm_parameter" "subnet_db_1_id" {
+  count = var.is_dmz ? 0 : 1
+  name  = var.ssm_subnet_db_1_id
+}
+data "aws_ssm_parameter" "subnet_db_2_id" {
+  count = var.is_dmz ? 0 : 1
+  name  = var.ssm_subnet_db_2_id
+}
+data "aws_ssm_parameter" "subnet_es_id" {
+  count = var.is_dmz ? 0 : 1
+  name  = var.ssm_subnet_es_id
+}
+
+
+resource "aws_route_table_association" "r_assoc_backend_lz" {
+  count          = var.is_dmz ? 0 : 1
+  route_table_id = data.aws_ssm_parameter.route_table_endpoints_id[count.index].value
+  subnet_id      = data.aws_ssm_parameter.subnet_backend_id[count.index].value
+}
+
+resource "aws_route_table_association" "r_assoc_worker_lz" {
+  count          = var.is_dmz ? 0 : 1
+  route_table_id = data.aws_ssm_parameter.route_table_endpoints_id[count.index].value
+  subnet_id      = data.aws_ssm_parameter.subnet_worker_id[count.index].value
+}
+
+resource "aws_route_table_association" "r_assoc_matomo_lz" {
+  count          = var.is_dmz ? 0 : 1
+  route_table_id = data.aws_ssm_parameter.route_table_endpoints_id[count.index].value
+  subnet_id      = data.aws_ssm_parameter.subnet_matomo_id[count.index].value
+}
+
+resource "aws_route_table_association" "r_assoc_db1" {
+  count          = var.is_dmz ? 0 : 1
+  route_table_id = data.aws_ssm_parameter.route_table_private_A_id[count.index].value
+  subnet_id      = data.aws_ssm_parameter.subnet_db_1_id[count.index].value
+}
+
+resource "aws_route_table_association" "r_assoc_db2" {
+  count          = var.is_dmz ? 0 : 1
+  route_table_id = data.aws_ssm_parameter.route_table_private_B_id[count.index].value
+  subnet_id      = data.aws_ssm_parameter.subnet_db_2_id[count.index].value
+}
+
+resource "aws_route_table_association" "r_assoc_es_1" {
+  count          = var.is_dmz ? 0 : 1
+  route_table_id = data.aws_ssm_parameter.route_table_private_C_id[count.index].value
+  subnet_id      = data.aws_ssm_parameter.subnet_es_id[count.index].value
+}
+
+resource "aws_security_group" "allow_internal_lz" {
+  count       = var.is_dmz ? 0 : 1
+  name        = "allow-internal"
+  description = "Allow All VPC Internal Traffic"
+  vpc_id      = data.aws_ssm_parameter.vpc_id[count.index].value
+
+  ingress {
+    description = "All Lambda Subnet"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = [data.aws_ssm_parameter.vpc_cidr_block[count.index].value]
+  }
+
+  ingress {
+    description = "Nessus Scan"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["10.232.0.94/32"]
+  }
+
+  ingress {
+    description = "Crowdstrike Server"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["10.234.0.0/15", "10.232.0.0/15", "52.61.0.0/17", "10.236.0.0/24", "96.127.0.0/17"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Project = var.project
+    Stage   = var.stage
+    Owner   = "Crossfeed managed resource"
+  }
+}
+
+resource "aws_security_group" "worker_lz" {
+  count       = var.is_dmz ? 0 : 1
+  name        = "worker"
+  description = "Worker"
+  vpc_id      = data.aws_ssm_parameter.vpc_id[count.index].value
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Project = var.project
+    Stage   = var.stage
+    Owner   = "Crossfeed managed resource"
+  }
+}
diff --git a/infrastructure/vpc.tf b/infrastructure/vpc.tf
deleted file mode 100644
index 66fb425f..00000000
--- a/infrastructure/vpc.tf
+++ /dev/null
@@ -1,107 +0,0 @@
-data "aws_ssm_parameter" "vpc_name" { name = var.ssm_crossfeed_vpc_name }
-
-data "aws_ssm_parameter" "vpc_id" { name = var.ssm_vpc_id }
-data "aws_ssm_parameter" "vpc_cidr_block" { name = var.ssm_vpc_cidr_block }
-data "aws_ssm_parameter" "route_table_endpoints_id" { name = var.ssm_route_table_endpoints_id }
-data "aws_ssm_parameter" "route_table_private_A_id" { name = var.ssm_route_table_private_A_id }
-data "aws_ssm_parameter" "route_table_private_B_id" { name = var.ssm_route_table_private_B_id }
-data "aws_ssm_parameter" "route_table_private_C_id" { name = var.ssm_route_table_private_C_id }
-data "aws_ssm_parameter" "subnet_backend_id" { name = var.ssm_subnet_backend_id }
-data "aws_ssm_parameter" "subnet_worker_id" { name = var.ssm_subnet_worker_id }
-data "aws_ssm_parameter" "subnet_matomo_id" { name = var.ssm_subnet_matomo_id }
-data "aws_ssm_parameter" "subnet_db_1_id" { name = var.ssm_subnet_db_1_id }
-data "aws_ssm_parameter" "subnet_db_2_id" { name = var.ssm_subnet_db_2_id }
-data "aws_ssm_parameter" "subnet_es_id" { name = var.ssm_subnet_es_id }
-
-
-resource "aws_route_table_association" "r_assoc_backend" {
-  route_table_id = data.aws_ssm_parameter.route_table_endpoints_id.value
-  subnet_id      = data.aws_ssm_parameter.subnet_backend_id.value
-}
-
-resource "aws_route_table_association" "r_assoc_worker" {
-  route_table_id = data.aws_ssm_parameter.route_table_endpoints_id.value
-  subnet_id      = data.aws_ssm_parameter.subnet_worker_id.value
-}
-
-resource "aws_route_table_association" "r_assoc_matomo" {
-  route_table_id = data.aws_ssm_parameter.route_table_endpoints_id.value
-  subnet_id      = data.aws_ssm_parameter.subnet_matomo_id.value
-}
-
-resource "aws_route_table_association" "r_assoc_db1" {
-  route_table_id = data.aws_ssm_parameter.route_table_private_A_id.value
-  subnet_id      = data.aws_ssm_parameter.subnet_db_1_id.value
-}
-
-resource "aws_route_table_association" "r_assoc_db2" {
-  route_table_id = data.aws_ssm_parameter.route_table_private_B_id.value
-  subnet_id      = data.aws_ssm_parameter.subnet_db_2_id.value
-}
-
-resource "aws_route_table_association" "r_assoc_es_1" {
-  route_table_id = data.aws_ssm_parameter.route_table_private_C_id.value
-  subnet_id      = data.aws_ssm_parameter.subnet_es_id.value
-}
-
-resource "aws_security_group" "allow_internal" {
-  name        = "allow-internal"
-  description = "Allow All VPC Internal Traffic"
-  vpc_id      = data.aws_ssm_parameter.vpc_id.value
-
-  ingress {
-    description = "All Lambda Subnet"
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = [data.aws_ssm_parameter.vpc_cidr_block.value]
-  }
-
-  ingress {
-    description = "Nessus Scan"
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["10.232.0.94/32"]
-  }
-
-  ingress {
-    description = "Crowdstrike Server"
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["10.234.0.0/15", "10.232.0.0/15", "52.61.0.0/17", "10.236.0.0/24", "96.127.0.0/17"]
-  }
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags = {
-    Project = var.project
-    Stage   = var.stage
-    Owner   = "Crossfeed managed resource"
-  }
-}
-
-resource "aws_security_group" "worker" {
-  name        = "worker"
-  description = "Worker"
-  vpc_id      = data.aws_ssm_parameter.vpc_id.value
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags = {
-    Project = var.project
-    Stage   = var.stage
-    Owner   = "Crossfeed managed resource"
-  }
-}
diff --git a/infrastructure/worker.tf b/infrastructure/worker.tf
index 7c0bdb4f..e60852af 100644
--- a/infrastructure/worker.tf
+++ b/infrastructure/worker.tf
@@ -60,7 +60,11 @@ resource "aws_iam_role_policy" "worker_task_execution_role_policy" {
         "ecr:GetDownloadUrlForLayer",
         "ecr:BatchGetImage",
         "logs:CreateLogStream",
-        "logs:PutLogEvents"
+        "logs:PutLogEvents",
+        "sqs:ReceiveMessage",
+        "sqs:DeleteMessage",
+        "sqs:ListQueues",
+        "sqs:GetQueueAttributes"
       ],
       "Resource": "*"
     },
@@ -89,7 +93,7 @@ resource "aws_iam_role_policy" "worker_task_execution_role_policy" {
           "${data.aws_ssm_parameter.lg_api_key.arn}",
           "${data.aws_ssm_parameter.lg_workspace_name.arn}",
           "${data.aws_ssm_parameter.https_proxy.arn}",
-          "${aws_ssm_parameter.es_endpoint.arn}"
+          "${aws_ssm_parameter.es_endpoint.arn}",
           "${aws_ssm_parameter.es_endpoint.arn}",
           "${data.aws_ssm_parameter.pe_api_key.arn}",
           "${data.aws_ssm_parameter.cf_api_key.arn}"
@@ -161,7 +165,17 @@ resource "aws_iam_role_policy" "worker_task_role_policy" {
       "Resource": [
         "${aws_s3_bucket.export_bucket.arn}"
       ]
-    }
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "sqs:ReceiveMessage",
+        "sqs:DeleteMessage",
+        "sqs:ListQueues",
+        "sqs:GetQueueAttributes"
+      ],
+      "Resource": "*"
+      }
   ]
 }
 EOF
@@ -307,8 +321,15 @@ resource "aws_ecs_task_definition" "worker" {
       {
         "name": "HTTPS_PROXY",
         "valueFrom": "${data.aws_ssm_parameter.https_proxy.arn}"
+      },
+      {
+        "name": "PE_API_KEY",
+        "valueFrom": "${data.aws_ssm_parameter.pe_api_key.arn}"
+      },
+      {
+        "name": "CF_API_KEY",
+        "valueFrom": "${data.aws_ssm_parameter.cf_api_key.arn}"
       }
-
     ]
   }
 ]
@@ -370,6 +391,9 @@ data "aws_ssm_parameter" "worker_signature_public_key" { name = var.ssm_worker_s
 data "aws_ssm_parameter" "worker_signature_private_key" { name = var.ssm_worker_signature_private_key }
 
 data "aws_ssm_parameter" "https_proxy" { name = var.ssm_https_proxy }
+
+data "aws_ssm_parameter" "intelx_api_key" { name = var.ssm_intelx_api_key }
+
 data "aws_ssm_parameter" "pe_api_key" { name = var.ssm_pe_api_key }
 
 data "aws_ssm_parameter" "cf_api_key" { name = var.ssm_cf_api_key }
@@ -407,6 +431,12 @@ resource "aws_s3_bucket_policy" "export_bucket" {
   })
 }
 
+resource "aws_s3_bucket_acl" "export_bucket" {
+  count  = var.is_dmz ? 1 : 0
+  bucket = aws_s3_bucket.export_bucket.id
+  acl    = "private"
+}
+
 resource "aws_s3_bucket_server_side_encryption_configuration" "export_bucket" {
   bucket = aws_s3_bucket.export_bucket.id
   rule {