diff --git a/README.md b/README.md
index 85fb98f..620293d 100644
--- a/README.md
+++ b/README.md
@@ -14,16 +14,19 @@ API gateway module for REST API. There is no community module available for REST
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.9.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.0 |
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_apigw_cwl_role"></a> [apigw\_cwl\_role](#module\_apigw\_cwl\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | ~> 5.9.2 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
+| [aws_api_gateway_account.api_gateway_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_account) | resource |
 | [aws_api_gateway_deployment.deployment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_deployment) | resource |
 | [aws_api_gateway_method_settings.method_settings](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_settings) | resource |
 | [aws_api_gateway_rest_api.api](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api) | resource |
@@ -45,6 +48,7 @@ No modules.
 | <a name="input_cache_data_encrypted"></a> [cache\_data\_encrypted](#input\_cache\_data\_encrypted) | Specifies whether a cache data needs to be encrypted. | `bool` | `true` | no |
 | <a name="input_caching_enabled"></a> [caching\_enabled](#input\_caching\_enabled) | Specifies whether caching is enabled for the API gateway method | `bool` | `false` | no |
 | <a name="input_data_trace_enabled"></a> [data\_trace\_enabled](#input\_data\_trace\_enabled) | Specifies the logging level for this method. | `bool` | `false` | no |
+| <a name="input_enable_global_apigw_logging"></a> [enable\_global\_apigw\_logging](#input\_enable\_global\_apigw\_logging) | Enable global apigw logging | `bool` | `false` | no |
 | <a name="input_log_format"></a> [log\_format](#input\_log\_format) | Cloudwatch log format | `map(string)` | <pre>{<br>  "caller": "$context.identity.caller",<br>  "extendedRequestId": "$context.extendedRequestId",<br>  "httpMethod": "$context.httpMethod",<br>  "ip": "$context.identity.sourceIp",<br>  "protocol": "$context.protocol",<br>  "requestId": "$context.requestId",<br>  "requestTime": "$context.requestTime",<br>  "resourcePath": "$context.resourcePath",<br>  "responseLength": "$context.responseLength",<br>  "status": "$context.status",<br>  "user": "$context.identity.user"<br>}</pre> | no |
 | <a name="input_log_group_name"></a> [log\_group\_name](#input\_log\_group\_name) | Custom log group name. | `string` | `""` | no |
 | <a name="input_log_kms_key_id"></a> [log\_kms\_key\_id](#input\_log\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data | `string` | `""` | no |
@@ -57,7 +61,7 @@ No modules.
 | <a name="input_throttling_burst_limit"></a> [throttling\_burst\_limit](#input\_throttling\_burst\_limit) | The API request burst limit, the maximum rate limit over a time ranging from one to a few seconds, depending upon whether the underlying token bucket is at its full capacity. | `number` | `1000` | no |
 | <a name="input_throttling_rate_limit"></a> [throttling\_rate\_limit](#input\_throttling\_rate\_limit) | The API request steady-state rate limit | `number` | `1000` | no |
 | <a name="input_types"></a> [types](#input\_types) | Name of the API gateway stage | `list(string)` | <pre>[<br>  "REGIONAL"<br>]</pre> | no |
-| <a name="input_vpc_links"></a> [vpc\_links](#input\_vpc\_links) | List of VPC links for REST APIs | <pre>map(<br>    object({<br>      description = string<br>      target_arns = list(string)<br>    })<br>  )</pre> | `{}` | no |
+| <a name="input_vpc_links"></a> [vpc\_links](#input\_vpc\_links) | List of VPC links for REST APIs. key in the map denotes the vpc link name | <pre>map(<br>    object({<br>      description = string<br>      target_arns = list(string)<br>    })<br>  )</pre> | `{}` | no |
 
 ## Outputs
 
diff --git a/iam.tf b/iam.tf
new file mode 100644
index 0000000..617a4bf
--- /dev/null
+++ b/iam.tf
@@ -0,0 +1,23 @@
+module "apigw_cwl_role" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+  version = "~> 5.9.2"
+
+  trusted_role_services = [
+    "apigateway.amazonaws.com"
+  ]
+
+  create_role = var.enable_global_apigw_logging
+
+  role_name_prefix  = "apigw-cwl-global"
+  role_requires_mfa = false
+
+  custom_role_policy_arns = [
+    "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs",
+  ]
+}
+
+resource "aws_api_gateway_account" "api_gateway_account" {
+  count = var.enable_global_apigw_logging ? 1 : 0
+
+  cloudwatch_role_arn = module.apigw_cwl_role.iam_role_arn
+}
diff --git a/main.tf b/main.tf
index 7688b11..2b89139 100644
--- a/main.tf
+++ b/main.tf
@@ -28,6 +28,7 @@ resource "aws_api_gateway_deployment" "deployment" {
 }
 
 resource "aws_api_gateway_stage" "stage" {
+  #checkov:skip=CKV2_AWS_51: Since its a community module, its up to the application's discretion.
   #checkov:skip=CKV_AWS_120:Caching should be optional as caching is disabled for some applications
   #checkov:skip=CKV2_AWS_29:Since apigw can be protected by Cloudfront
   #checkov:skip=CKV2_AWS_4:There is no loggging level defined for aws_api_gateway_stage. It is only available for aws_api_gateway_method_settings
@@ -45,9 +46,12 @@ resource "aws_api_gateway_stage" "stage" {
     format          = jsonencode(var.log_format)
   }
 
+  depends_on = [aws_api_gateway_account.api_gateway_account]
+
 }
 
 resource "aws_cloudwatch_log_group" "log_group" {
+  #checkov:skip=CKV_AWS_158: Using default key in KMS instead of CMK
   #Custom name if it is imported
   name              = var.log_group_name != "" ? var.log_group_name : "${var.name}-access-logs"
   retention_in_days = var.log_retention_in_days
diff --git a/modules/custom_domain/README.md b/modules/custom_domain/README.md
index 43adcce..94aa720 100644
--- a/modules/custom_domain/README.md
+++ b/modules/custom_domain/README.md
@@ -18,7 +18,7 @@ Provisions option to create ACM certifcation. Cert validation needs to be done o
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.13.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.0 |
 
 ## Modules
 
diff --git a/modules/usage_plan/README.md b/modules/usage_plan/README.md
index d53ad24..4f7ecce 100644
--- a/modules/usage_plan/README.md
+++ b/modules/usage_plan/README.md
@@ -14,7 +14,7 @@ Create Usage Plan and assign it to the API
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.12.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.0 |
 
 ## Modules
 
diff --git a/variables.tf b/variables.tf
index caa227b..5424c80 100644
--- a/variables.tf
+++ b/variables.tf
@@ -131,3 +131,9 @@ variable "vpc_links" {
   )
   default = {}
 }
+
+variable "enable_global_apigw_logging" {
+  description = "Enable global apigw logging"
+  type        = bool
+  default     = false
+}
