diff --git a/cloudfront.tf b/cloudfront.tf
index 100a474..1f99d92 100644
--- a/cloudfront.tf
+++ b/cloudfront.tf
@@ -254,9 +254,12 @@ resource "aws_cloudfront_distribution" "munki_basic_auth" {
   ordered_cache_behavior {
     path_pattern = "/icons/*"
 
-    lambda_function_association {
-      event_type = "viewer-request"
-      lambda_arn = "${aws_lambda_function.basic_auth_lambda[0].arn}:${aws_lambda_function.basic_auth_lambda[0].version}"
+    dynamic "lambda_function_association" {
+      for_each = var.enable_icons_basic_auth ? ["true"] : []
+      content {
+        event_type = "viewer-request"
+        lambda_arn = "${aws_lambda_function.basic_auth_lambda[0].arn}:${aws_lambda_function.basic_auth_lambda[0].version}"
+      }
     }
 
     trusted_signers        = var.cf_trusted_signers
diff --git a/variables.tf b/variables.tf
index 6604675..8bca8e3 100644
--- a/variables.tf
+++ b/variables.tf
@@ -140,3 +140,9 @@ variable "icons_ordered_cache_behavior_max_ttl" {
   default     = 60
   description = "The maximum amount of time (in seconds) that a icon object is in a CloudFront cache before CloudFront forwards another request to your origin to determine whether the object has been updated."
 }
+
+variable "enable_icons_basic_auth" {
+  type        = bool
+  default     = true
+  description = "When set to 'true' the resource will enable basic auth for icons/ subpath"
+}