diff --git a/docs/roles/deploy_container.md b/docs/roles/deploy_container.md
index 8f7dca28..3e5a9c30 100644
--- a/docs/roles/deploy_container.md
+++ b/docs/roles/deploy_container.md
@@ -8,7 +8,27 @@ sudo usermod -aG docker deploy
 
 This can be handled automatically by [`ce-provision`](https://github.com/codeenigma/ce-provision) using the `ce_deploy` and `docker_ce` roles.
 
-AWS ECR registries require the AWS CLI user provided for `ce-deploy` to have the managed AWS `EC2InstanceProfileForImageBuilderECRContainerBuilds` policy attached via IAM to allow access to fetch credentials and push containers.
+## AWS IAM requirements
+AWS integration requires the AWS CLI user provided for `ce-deploy` to have certain managed AWS policies attached.
+
+If you enable AWS ECR registry integration by setting `deploy_container.aws_ecr.enabled` to `true` then you will need the `EC2InstanceProfileForImageBuilderECRContainerBuilds` policy attached via IAM to allow access to fetch credentials and push containers.
+
+Similarly, if you set `deploy_container.aws_ecs.acm.create_cert` to `true` then you will need the `AWSCertificateManagerFullAccess` policy attaching to create SSL certificates.
+
+If you enable full AWS ECS integration by setting `deploy_container.aws_ecs.enabled` to `true` then this requires the following policies to be attached to the AWS CLI user:
+* `AmazonECS_FullAccess` - to create task definitions and services
+* `ElasticLoadBalancingFullAccess` - to create load balancers and target groups
+
+Finally, if you set `deploy_container.aws_ecs.route_53.zone` to another other than an empty string then you will also need `AmazonRoute53FullAccess` attaching to manipulate DNS entries in Route 53.
+
+The full list is:
+* `EC2InstanceProfileForImageBuilderECRContainerBuilds` - to manipulate images in AWS ECR
+* `AWSCertificateManagerFullAccess` - to manage SSL certificates
+* `AmazonECS_FullAccess` - to create task definitions and services
+* `ElasticLoadBalancingFullAccess` - to create load balancers and target groups
+* `AmazonRoute53FullAccess` - to manage DNS entries
+
+Naturally you can always create custom policies and roles to have tighter access control. This document simply gives you the broad strokes AWS managed policies you can use in conjunction with this Ansible role.
 
 <!--TOC-->
 <!--ENDTOC-->
diff --git a/docs/roles/sync/database_sync/database_sync-mysql.md b/docs/roles/sync/database_sync/database_sync-mysql.md
index cbe1a353..d70d770e 100644
--- a/docs/roles/sync/database_sync/database_sync-mysql.md
+++ b/docs/roles/sync/database_sync/database_sync-mysql.md
@@ -5,8 +5,9 @@ Sync MySQL databases between environments.
 ```yaml
 ---
 mysql_sync:
-  mysqldump_params: "{{ _mysqldump_params }}" # set in _init but you can override here
-  cleanup: true # if false leaves tmp database dump on deploy server for debugging purposes
+  mysqldump_params: "{{ _mysqldump_params }}" # set in _init but you can override here.
+  cleanup: true # if false leaves tmp database dump on deploy server for debugging purposes.
+  archival_method: "bzip2" # oprions are "bzip2" or "gzip".
   databases:
     - source:
         # Name of the database to take a dump from.
diff --git a/roles/deploy_container/README.md b/roles/deploy_container/README.md
index 8f7dca28..3e5a9c30 100644
--- a/roles/deploy_container/README.md
+++ b/roles/deploy_container/README.md
@@ -8,7 +8,27 @@ sudo usermod -aG docker deploy
 
 This can be handled automatically by [`ce-provision`](https://github.com/codeenigma/ce-provision) using the `ce_deploy` and `docker_ce` roles.
 
-AWS ECR registries require the AWS CLI user provided for `ce-deploy` to have the managed AWS `EC2InstanceProfileForImageBuilderECRContainerBuilds` policy attached via IAM to allow access to fetch credentials and push containers.
+## AWS IAM requirements
+AWS integration requires the AWS CLI user provided for `ce-deploy` to have certain managed AWS policies attached.
+
+If you enable AWS ECR registry integration by setting `deploy_container.aws_ecr.enabled` to `true` then you will need the `EC2InstanceProfileForImageBuilderECRContainerBuilds` policy attached via IAM to allow access to fetch credentials and push containers.
+
+Similarly, if you set `deploy_container.aws_ecs.acm.create_cert` to `true` then you will need the `AWSCertificateManagerFullAccess` policy attaching to create SSL certificates.
+
+If you enable full AWS ECS integration by setting `deploy_container.aws_ecs.enabled` to `true` then this requires the following policies to be attached to the AWS CLI user:
+* `AmazonECS_FullAccess` - to create task definitions and services
+* `ElasticLoadBalancingFullAccess` - to create load balancers and target groups
+
+Finally, if you set `deploy_container.aws_ecs.route_53.zone` to another other than an empty string then you will also need `AmazonRoute53FullAccess` attaching to manipulate DNS entries in Route 53.
+
+The full list is:
+* `EC2InstanceProfileForImageBuilderECRContainerBuilds` - to manipulate images in AWS ECR
+* `AWSCertificateManagerFullAccess` - to manage SSL certificates
+* `AmazonECS_FullAccess` - to create task definitions and services
+* `ElasticLoadBalancingFullAccess` - to create load balancers and target groups
+* `AmazonRoute53FullAccess` - to manage DNS entries
+
+Naturally you can always create custom policies and roles to have tighter access control. This document simply gives you the broad strokes AWS managed policies you can use in conjunction with this Ansible role.
 
 <!--TOC-->
 <!--ENDTOC-->
diff --git a/roles/sync/database_sync/database_sync-mysql/README.md b/roles/sync/database_sync/database_sync-mysql/README.md
index cbe1a353..d70d770e 100644
--- a/roles/sync/database_sync/database_sync-mysql/README.md
+++ b/roles/sync/database_sync/database_sync-mysql/README.md
@@ -5,8 +5,9 @@ Sync MySQL databases between environments.
 ```yaml
 ---
 mysql_sync:
-  mysqldump_params: "{{ _mysqldump_params }}" # set in _init but you can override here
-  cleanup: true # if false leaves tmp database dump on deploy server for debugging purposes
+  mysqldump_params: "{{ _mysqldump_params }}" # set in _init but you can override here.
+  cleanup: true # if false leaves tmp database dump on deploy server for debugging purposes.
+  archival_method: "bzip2" # oprions are "bzip2" or "gzip".
   databases:
     - source:
         # Name of the database to take a dump from.