diff --git a/CODEOWNERS b/CODEOWNERS
new file mode 100644
index 0000000..e80cfd1
--- /dev/null
+++ b/CODEOWNERS
@@ -0,0 +1 @@
+* @davmayd
diff --git a/docs/boilerplate b/docs/boilerplate
index 59b9927..4ee94d6 160000
--- a/docs/boilerplate
+++ b/docs/boilerplate
@@ -1 +1 @@
-Subproject commit 59b9927c61cd1831141cf0350520c89abb2246da
+Subproject commit 4ee94d6b60ec455e5b452e8ad9841eb825704b70
diff --git a/submodules/quickstart-aws-vpc b/submodules/quickstart-aws-vpc
index 53fbedf..b7aefd0 160000
--- a/submodules/quickstart-aws-vpc
+++ b/submodules/quickstart-aws-vpc
@@ -1 +1 @@
-Subproject commit 53fbedf058adaea101a587ec0fa9d84cb2a05587
+Subproject commit b7aefd089e944d77cdc2b083886cdc498d2a6ee4
diff --git a/templates/okta-asa-bastion.template.yaml b/templates/okta-asa-bastion.template.yaml
index 6c01af3..98301ea 100644
--- a/templates/okta-asa-bastion.template.yaml
+++ b/templates/okta-asa-bastion.template.yaml
@@ -1,6 +1,10 @@
 AWSTemplateFormatVersion: 2010-09-09
 Description: This AWS CloudFormation template deploys a bastion host enrolled with Okta Advanced Server Access (qs-1rm280cl1)
 Metadata:
+  cfn-lint:
+    config:
+      ignore_checks:
+        - W9006
   LICENSE: Apache License, Version 2.0
   QuickStartDocumentation:
     EntrypointName: "Parameters for deploying Okta ASA into an existing VPC"
@@ -95,7 +99,6 @@ Metadata:
         default: Root volume size
       EnrollmentToken:
         default: Okta Advanced Server Access enrollment token
-  cfn-lint: { config: { ignore_checks: [E9007] } }
 Parameters:
   EC2AMIOS:
     AllowedValues:
@@ -456,6 +459,15 @@ Resources:
         - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy'
   BastionHostPolicy:
     Type: 'AWS::IAM::Policy'
+    Metadata:
+      cfn-lint:
+        config:
+          ignore_checks:
+            - EIAMPolicyWildcardResource
+      cfn_nag:
+        rules_to_suppress:
+          - id: W12
+            reason: "EC2 requires wildcard access"
     Properties:
       PolicyName: BastionPolicy
       PolicyDocument:
@@ -481,7 +493,7 @@ Resources:
           - Action:
               - 'ec2:AssociateAddress'
               - 'ec2:DescribeAddresses'
-            Resource: '*'
+            Resource: '*' # Only supported resource per the documentation
             Effect: Allow
       Roles:
         - !If
@@ -702,6 +714,13 @@ Resources:
               - 'Null'
   BastionSecurityGroup:
     Type: 'AWS::EC2::SecurityGroup'
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: F1000
+            reason: "Standard Amazon practice"
+          - id: W36
+            reason: "Group description is sufficient"
     Properties:
       GroupDescription: Enables SSH Access to Bastion Hosts
       VpcId: !Ref VPCID
diff --git a/templates/okta-asa-main.template.yaml b/templates/okta-asa-main.template.yaml
index f0d81ed..e3d072a 100644
--- a/templates/okta-asa-main.template.yaml
+++ b/templates/okta-asa-main.template.yaml
@@ -1,6 +1,10 @@
 AWSTemplateFormatVersion: 2010-09-09
 Description: This AWS CloudFormation template deploys an environment – VPC, bastion, and target hosts – with Okta Advanced Server Access (qs-1rm280cig)
 Metadata:
+  cfn-lint:
+    config:
+      ignore_checks:
+        - W9006
   LICENSE: Apache License, Version 2.0 
   QuickStartDocumentation:
     EntrypointName: "Parameters for deploying Okta ASA into a new VPC"
@@ -92,7 +96,6 @@ Metadata:
         default: VPC CIDR
       EnrollmentToken:
         default: Okta Advanced Server Access enrollment token
-  cfn-lint: { config: { ignore_checks: [E9007] } }
 Parameters:
   AvailabilityZones:
     Description: 'Availability Zones to use for the subnets in the VPC. The logical order is preserved. This deployment uses 2 Availability Zones.'
diff --git a/templates/okta-asa-target.template.yaml b/templates/okta-asa-target.template.yaml
index c9846cd..b522cbe 100644
--- a/templates/okta-asa-target.template.yaml
+++ b/templates/okta-asa-target.template.yaml
@@ -1,6 +1,10 @@
 AWSTemplateFormatVersion: 2010-09-09
 Description: This AWS CloudFormation template deploys a target host enrolled with Okta Advanced Server Access (qs-1rm280cl7)
 Metadata:
+  cfn-lint:
+    config:
+      ignore_checks:
+        - W9006
   LICENSE: Apache License, Version 2.0
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -95,7 +99,6 @@ Metadata:
         default: Root volume size
       EnrollmentToken:
         default: Okta Advanced Server Access enrollment token
-  cfn-lint: { config: { ignore_checks: [E9007] } }
 Parameters:
   BastionSecurityGroupID:
     Description: ID of the bastion host security group to enable SSH connections (e.g.,
@@ -442,6 +445,15 @@ Resources:
         - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy'
   TargetHostPolicy:
     Type: 'AWS::IAM::Policy'
+    Metadata:
+      cfn-lint:
+        config:
+          ignore_checks:
+            - EIAMPolicyWildcardResource
+      cfn_nag:
+        rules_to_suppress:
+          - id: W12
+            reason: "EC2 requires wildcard access"
     Properties:
       PolicyName: TargetPolicy
       PolicyDocument:
@@ -467,7 +479,7 @@ Resources:
           - Action:
               - 'ec2:AssociateAddress'
               - 'ec2:DescribeAddresses'
-            Resource: '*'
+            Resource: '*' # Only supported resource per the documentation
             Effect: Allow
       Roles:
         - !If
@@ -653,6 +665,13 @@ Resources:
             [ $(qs_status) == 0 ] && cfn_success || cfn_fail
   TargetSecurityGroup:
     Type: 'AWS::EC2::SecurityGroup'
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: F1000
+            reason: "Standard Amazon practice"
+          - id: W36
+            reason: "EC2 requires wildcard access"
     Properties:
       GroupDescription: Enables SSH Access to Target Hosts
       VpcId: !Ref VPCID