diff --git a/.github/workflows/flowzone.yml b/.github/workflows/flowzone.yml
index 00d0707..13372cf 100644
--- a/.github/workflows/flowzone.yml
+++ b/.github/workflows/flowzone.yml
@@ -32,6 +32,15 @@ jobs:
   flowzone:
     name: Flowzone
     uses: product-os/flowzone/.github/workflows/flowzone.yml@master
+    # prevent duplicate workflow executions for pull_request and pull_request_target
+    if: |
+      (
+        github.event.pull_request.head.repo.full_name == github.repository &&
+        github.event_name == 'pull_request'
+      ) || (
+        github.event.pull_request.head.repo.full_name != github.repository &&
+        github.event_name == 'pull_request_target'
+      )
     secrets:
       GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }}
     with:
@@ -49,7 +58,7 @@ jobs:
               "params": [
                 "GitHubRestriction=repo:belodetek/cfn-generic-custom-resource:*,repo:belodetek/.github:*",
                 "RoleMaxSessionDuration=43200",
-                "ManagedPolicyArns=arn:aws:iam::aws:policy/AWSCloudFormationFullAccess,arn:aws:iam::aws:policy/AmazonS3FullAccess,arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser,arn:aws:iam::aws:policy/AmazonElasticContainerRegistryPublicPowerUser"
+                "ManagedPolicyArns=arn:aws:iam::aws:policy/AWSCloudFormationFullAccess,arn:aws:iam::aws:policy/AmazonS3FullAccess,arn:aws:iam::aws:policy/IAMReadOnlyAccess,arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser,arn:aws:iam::aws:policy/AmazonElasticContainerRegistryPublicPowerUser"
               ],
               "tags": [
                 "Name=github-oidc",