diff --git a/packages/@aws-cdk-testing/cli-integ/resources/bootstrap-templates/custom-bootstrap-session-tags.yaml b/packages/@aws-cdk-testing/cli-integ/resources/bootstrap-templates/custom-bootstrap-session-tags.yaml
index 06add7abf2a9f..4b5ae14f4ad5c 100644
--- a/packages/@aws-cdk-testing/cli-integ/resources/bootstrap-templates/custom-bootstrap-session-tags.yaml
+++ b/packages/@aws-cdk-testing/cli-integ/resources/bootstrap-templates/custom-bootstrap-session-tags.yaml
@@ -436,9 +436,9 @@ Resources:
             Principal:
               AWS:
                 Ref: AWS::AccountId
-            Condition:
-              StringEquals:
-                aws:RequestTag/Department: "Engineering"
+            # Condition:
+            #   StringEquals:
+            #     aws:RequestTag/Department: "Engineering"
           - Fn::If:
               - HasTrustedAccounts
               - Action: sts:AssumeRole
@@ -446,9 +446,9 @@ Resources:
                 Principal:
                   AWS:
                     Ref: TrustedAccounts
-                Condition:
-                  StringEquals:
-                    aws:RequestTag/Department: "Engineering"
+                # Condition:
+                #   StringEquals:
+                #     aws:RequestTag/Department: "Engineering"
               - Ref: AWS::NoValue
       Policies:
         - PolicyDocument:
@@ -548,6 +548,9 @@ Resources:
             Effect: Allow
             Principal:
               Service: cloudformation.amazonaws.com
+            Condition:
+              StringEquals:
+                aws:RequestTag/Department: "Engineering"
         Version: '2012-10-17'
       ManagedPolicyArns:
         Fn::If: