diff --git a/packages/deployment-service/cdk/lib/cdk-stack.ts b/packages/deployment-service/cdk/lib/cdk-stack.ts
index d827143d9d..1a99cd99cd 100644
--- a/packages/deployment-service/cdk/lib/cdk-stack.ts
+++ b/packages/deployment-service/cdk/lib/cdk-stack.ts
@@ -18,7 +18,7 @@ import {
   createFunction,
 } from '@reapit/ts-scripts/src/cdk'
 import fs from 'fs/promises'
-import { aws_sqs as sqs, aws_lambda } from 'aws-cdk-lib'
+import { aws_sqs as sqs, aws_lambda, aws_ec2 } from 'aws-cdk-lib'
 
 import { createLambda } from './create-lambda'
 import { createS3Buckets } from './create-S3-bucket'
@@ -77,7 +77,7 @@ export const createStack = async () => {
   const vpc = createVpc(stack, 'vpc')
   const buckets = createS3Buckets(usercodeStack, envStage)
   const queues = createSqsQueues(stack)
-  const database = createDatabase(stack, 'database', databaseName, vpc, undefined, true)
+  const database = createDatabase(stack, 'database', databaseName, vpc, undefined, true, false)
 
   const secretManager = database.secret
 
@@ -255,6 +255,12 @@ export const createStack = async () => {
     })
     options.policies.forEach((policy) => lambda.addToRolePolicy(policy))
 
+    const requiresDbConnection = options.policies.some((policy) => policy.resources.includes(secretManager.secretArn))
+
+    if (requiresDbConnection) {
+      database.connections.allowFrom(lambda, aws_ec2.Port.MYSQL_AURORA)
+    }
+
     if (options.queues) {
       options.queues.forEach((queue) => addLambdaSQSTrigger(lambda, queue as Queue))
     } else if (options.api) {
diff --git a/packages/ts-scripts/src/cdk/components/rds-database.ts b/packages/ts-scripts/src/cdk/components/rds-database.ts
index cdac04e48e..df6e5d9670 100644
--- a/packages/ts-scripts/src/cdk/components/rds-database.ts
+++ b/packages/ts-scripts/src/cdk/components/rds-database.ts
@@ -8,6 +8,7 @@ export const createDatabase = (
   vpc: ec2.Vpc,
   secret?: cdk.aws_secretsmanager.ISecret,
   bastion: boolean = false,
+  createConnections: boolean = true,
 ): rds.DatabaseCluster => {
   const db = new rds.DatabaseCluster(stack, name, {
     engine: rds.DatabaseClusterEngine.auroraMysql({ version: rds.AuroraMysqlEngineVersion.VER_3_08_2 }),
@@ -28,7 +29,7 @@ export const createDatabase = (
     credentials: secret ? rds.Credentials.fromSecret(secret) : undefined,
   })
 
-  db.connections.allowFromAnyIpv4(ec2.Port.MYSQL_AURORA)
+  if (createConnections) db.connections.allowFromAnyIpv4(ec2.Port.MYSQL_AURORA)
 
   if (bastion) {
     new ec2.BastionHostLinux(stack, 'bastion', {