diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index e3e7af2792a2e8fde9ff8667c2d7b8b854a684c0..cc42b5961b6b3d62c18e1aff656b638b50f455e8 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -3,7 +3,7 @@ variables:
   PYTHONPATH: app
   PYTEST_DIR: app/tests/unit
 
-  AWS_BUILD_SUBDIR: app
+  AWS_BUILD_SUBDIR: build/aws/build-aws
   # AWS_TEST_SUBDIR: testing/storage-test-aws
   AWS_SERVICE: policy
   AWS_SERVICE_NAMESPACE: osdu-services
diff --git a/NOTICE b/NOTICE
index 17b3f405034ae2c8fc70823816547b8fa0623769..e7fb5180ccbdbf2a4b0bd22edcee2eed6ecb4ac2 100644
--- a/NOTICE
+++ b/NOTICE
@@ -74,7 +74,7 @@ The following software have components provided under the terms of this license:
 - protobuf (from https://developers.google.com/protocol-buffers/)
 - pycparser (from https://github.com/eliben/pycparser)
 - pyparsing (from http://pyparsing.wikispaces.com/)
-- pyrsistent (from http://github.com/tobgu/pyrsistent/)
+- pyrsistent (from http://github.com/tobgu/pyrsistent/, https://github.com/tobgu/pyrsistent/)
 - python-dateutil (from https://github.com/dateutil/dateutil)
 - sniffio (from https://github.com/python-trio/sniffio)
 - starlette (from https://github.com/encode/starlette, https://pypi.org/project/starlette/0.21.0/)
@@ -162,7 +162,7 @@ The following software have components provided under the terms of this license:
 - coverage (from https://github.com/nedbat/coveragepy)
 - ecdsa (from http://github.com/tlsfuzzer/python-ecdsa)
 - exceptiongroup (from https://pypi.org/project/exceptiongroup/1.0.0/, https://pypi.org/project/exceptiongroup/1.0.0rc9/)
-- fastapi (from https://pypi.org/project/fastapi/0.85.0/, https://pypi.org/project/fastapi/0.85.1/)
+- fastapi (from https://pypi.org/project/fastapi/0.85.0/, https://pypi.org/project/fastapi/0.85.1/, https://pypi.org/project/fastapi/0.85.2/)
 - h11
 - humanfriendly (from https://humanfriendly.readthedocs.io)
 - iniconfig (from http://github.com/RonnyPfannschmidt/iniconfig)
@@ -176,7 +176,7 @@ The following software have components provided under the terms of this license:
 - py (from https://py.readthedocs.io/)
 - pydantic (from https://github.com/pydantic/pydantic, https://github.com/samuelcolvin/pydantic)
 - pyparsing (from http://pyparsing.wikispaces.com/)
-- pyrsistent (from http://github.com/tobgu/pyrsistent/)
+- pyrsistent (from http://github.com/tobgu/pyrsistent/, https://github.com/tobgu/pyrsistent/)
 - pytest (from http://pytest.org, https://docs.pytest.org/en/latest/)
 - pytest-cov (from https://github.com/pytest-dev/pytest-cov)
 - pytest-httpx (from https://colin-b.github.io/pytest_httpx/)
diff --git a/build/aws/build-aws/Dockerfile b/build/aws/build-aws/Dockerfile
index 566b9cc057692e4f8c35c73344c9f18af11a03c0..bb6b4fef7be7654ab9e61eb50da4471b29caa1d0 100644
--- a/build/aws/build-aws/Dockerfile
+++ b/build/aws/build-aws/Dockerfile
@@ -1,11 +1,12 @@
 # This Dockerfile assumes you used "make build" to convert the AdminUI to static files in frontend/adminui/dist/policyservice
-FROM python:3.9-slim-buster
+FROM public.ecr.aws/docker/library/python:3.9-slim-buster
 
 # set environment variables
 # PYTHONDONTWRITEBYTECODE - Prevents Python from writing pyc files to disc (equivalent to python -B option)
 ENV PYTHONDONTWRITEBYTECODE 1
 # PYTHONUNBUFFERED - Prevents Python from buffering stdout and stderr (equivalent to python -u option)
 ENV PYTHONUNBUFFERED 1
+EXPOSE 8080/tcp
 
 WORKDIR /opt
 COPY ./app /opt
diff --git a/build/aws/build-aws/buildspec.yaml b/build/aws/build-aws/buildspec.yaml
index 05fb1bdaf7a8eed795fdfee8fd76cf922c967f11..b9adc01ba273eac65ec59432551e4117cd435d2c 100644
--- a/build/aws/build-aws/buildspec.yaml
+++ b/build/aws/build-aws/buildspec.yaml
@@ -22,23 +22,26 @@ env:
     DOCKER_PASSWORD: /osdu/devops/docker_credentials:password
 phases:
   install:
+    runtime-versions:
+      nodejs: 12
     commands:
      - if [ $(echo $CODEBUILD_SOURCE_VERSION | grep -c  ^refs/heads.*) -eq 1 ]; then echo "Branch name found"; else echo "This build only supports branch builds" && exit 1; fi
      - apt-get update -y
      # Install git secrets
+     #TODO temporarily adding hotfix, due to https://github.com/awslabs/git-secrets/issues/220
+     - export SAY_LOCATION=`ln -s "$(which echo)" say`
+     - export PATH="$PATH:$SAY_LOCATION"
+
      - git clone https://github.com/awslabs/git-secrets.git
      - cd git-secrets && make install && cd ..
      - git secrets --install && git secrets --register-aws
      - npm cache clean -f
-     - n stable
      - npm --version
+     - n 16
      - npm install -g @angular/cli
-  pre_build:
-    commands:
-      - echo "Logging in to Amazon ECR..."
-      - $(aws ecr get-login --no-include-email --region $AWS_REGION) # authenticate with ECR via the AWS CLI
   build:
     commands:
+      - export AWS_ACCOUNT_ID=`aws sts get-caller-identity --query Account --output text`
       - export REPO_NAME=${PWD##*/}
       - export OUTPUT_DIR="dist"
       - export BRANCH_NAME=`echo ${CODEBUILD_SOURCE_VERSION} | awk '{gsub("refs/heads/","");gsub("\\.","-");gsub("[[:space:]]","-")}1' | sed 's/\//-/g' | awk '{print tolower($0)}'`
@@ -57,7 +60,7 @@ phases:
       - printenv
 
       - cd app
-      - make build
+      - make build_adminui
       - cd ..
 
       - GIT_SECRETS_SCAN_RESULT=$(git secrets --scan 2> ${OUTPUT_DIR}/git_secrets.out.txt && echo OK || echo FAILED)
@@ -69,10 +72,10 @@ phases:
       - echo "--Copying Helm Charts to ${OUTPUT_DIR:-dist}--"
       - rsync -r devops/aws/* "${OUTPUT_DIR:-dist}"
 
-      - echo "Logging into Docker Hub..."
-      - docker login -u ${DOCKER_USERNAME} -p ${DOCKER_PASSWORD}
+      - echo "Logging in to Amazon ECR..."
+      - aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com # authenticate with ECR via the AWS CLI
       - echo "Building docker image..."
-      - docker build -f app/Dockerfile -t ${ECR_IMAGE} .
+      - docker build -f build/aws/build-aws/Dockerfile -t ${ECR_IMAGE} .
       - docker tag  ${ECR_IMAGE} ${ECR_IMAGE_BRANCH_LATEST}
       - echo "Pushing docker image..."
       - docker push ${ECR_IMAGE}
diff --git a/devops/aws/opa/templates/scaledobject.yaml b/devops/aws/opa/templates/scaledobject.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..7f60905b2a6286c5421878c7ade070f4f82b9edc
--- /dev/null
+++ b/devops/aws/opa/templates/scaledobject.yaml
@@ -0,0 +1,4 @@
+{{- template "common.scaledobject" (list . "os-entitlements.scaledobject") -}}
+{{- define "os-entitlements.scaledobject" -}}
+## Define overrides for the service's scaled object resource here
+{{- end -}}
\ No newline at end of file
diff --git a/devops/aws/opa/values.yaml b/devops/aws/opa/values.yaml
index 11e89004c76fceb48115acf24c30e957529aa8c8..c2f85231e0e0cfcde23c12a796bcfac5daafceaa 100644
--- a/devops/aws/opa/values.yaml
+++ b/devops/aws/opa/values.yaml
@@ -20,13 +20,21 @@ podAnnotations:
   seccomp.security.alpha.kubernetes.io/pod: "runtime/default"
 
 # Resource Config
-replicaCount: 2
+maxConnections: 200
+replicaCount: 1
 resources:
   limits:
     memory: 200M
   requests:
     cpu: 500m
     memory: 100M
+autoscaling:
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 90
+  coolDownPeriod: 120
+  ServiceRequestCountThreshold: 25
+  ServiceRequestDurationAverage: 500
 
 # Security Config
 serviceAccountRole: arn:aws:iam::{{ .Values.global.accountID }}:role/osdu-{{ .Values.global.resourcePrefix }}-{{ .Values.global.region }}-{{ include "common.name" . }}