diff --git a/examples/existing-ditribution/fingerprint.tf b/examples/existing-ditribution/fingerprint.tf
index e14e110..f8866c5 100644
--- a/examples/existing-ditribution/fingerprint.tf
+++ b/examples/existing-ditribution/fingerprint.tf
@@ -6,5 +6,6 @@ module "fingerprint_cloudfront_integration" {
   fpjs_shared_secret       = var.fpjs_shared_secret
 
   // You can define the proxy function's [permission boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
-  // fpjs_proxy_lambda_role_permissions_boundary_arn = "arn:aws:iam::aws:policy/AWSLambda_FullAccess"
+  // See https://dev.fingerprint.com/docs/aws-cloudfront-integration-via-terraform#defining-a-permission-boundary-for-the-proxy-function
+  // fpjs_proxy_lambda_role_permissions_boundary_arn = "arn:aws:iam::<YOUR_ACCOUNT_ID>:policy/YOUR_POLICY_NAME"
 }
diff --git a/examples/standalone-distribution/fingerprint.tf b/examples/standalone-distribution/fingerprint.tf
index e14e110..f8866c5 100644
--- a/examples/standalone-distribution/fingerprint.tf
+++ b/examples/standalone-distribution/fingerprint.tf
@@ -6,5 +6,6 @@ module "fingerprint_cloudfront_integration" {
   fpjs_shared_secret       = var.fpjs_shared_secret
 
   // You can define the proxy function's [permission boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
-  // fpjs_proxy_lambda_role_permissions_boundary_arn = "arn:aws:iam::aws:policy/AWSLambda_FullAccess"
+  // See https://dev.fingerprint.com/docs/aws-cloudfront-integration-via-terraform#defining-a-permission-boundary-for-the-proxy-function
+  // fpjs_proxy_lambda_role_permissions_boundary_arn = "arn:aws:iam::<YOUR_ACCOUNT_ID>:policy/YOUR_POLICY_NAME"
 }
diff --git a/variables.tf b/variables.tf
index fb5264c..b055766 100644
--- a/variables.tf
+++ b/variables.tf
@@ -10,7 +10,7 @@ variable "fpjs_get_result_path" {
 
 variable "fpjs_agent_download_path" {
   type        = string
-  description = "request path used to send ProCDN requests (aka FPJS_AGENT_DOWNLOAD_PATH)"
+  description = "request path used to send agent download requests (aka FPJS_AGENT_DOWNLOAD_PATH)"
 
   validation {
     condition     = can(regex("^([a-zA-Z0-9\\-])+$", var.fpjs_agent_download_path))
@@ -31,6 +31,6 @@ variable "fpjs_shared_secret" {
 
 variable "fpjs_proxy_lambda_role_permissions_boundary_arn" {
   type        = string
-  description = "permissions boundary ARN for the role assumed by the Proxy lambda"
+  description = "Permissions boundary ARN for the role assumed by the Proxy lambda. Make sure your permissions boundary allows the function to access the Secrets Manager secret created for the integration (`secretsmanager:GetSecretValue`) and create logs (`logs:CreateLogStream`, `logs:CreateLogGroup`, `logs:PutLogEvents`)."
   default     = null
 }