diff --git a/docs/asff.md b/docs/asff.md
index 7445d84b758d434e7c4cf01601d4d1438ab903af..40cdfbef18cfdd31400e35594a20d2553a963b86 100644
--- a/docs/asff.md
+++ b/docs/asff.md
@@ -15,7 +15,7 @@ You can configure kube-bench with the `--asff` to send findings to AWS Security
 
 ## Configure permissions in an IAM Role
 
-* Grant these permissions to the IAM Role that the kube-bench pod will be associated with. There are two potions:
+* Grant these permissions to the IAM Role that the kube-bench pod will be associated with. There are two options:
   * You can run the kube-bench pod under a specific [service account associated with an IAM role](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) that has these permissions to write Security Hub findings.
   * Alternatively the pod can be granted permissions specified by the Role that your [EKS node group uses](https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html).
   
@@ -36,16 +36,14 @@ Here is an example IAM Policy that you can attach to your EKS node group's IAM R
 }
 ```
 
-## Configure and rebuild kube-bench
+### Modify the job configuration
 
-You will need to download, build and push the kube-bench container image to your ECR repo as described in Step 3 of the [EKS instructions][eks-instructions], except that before you build the container image, you need to edit `cfg/eks-1.0/config.yaml` to specify the AWS account, AWS region, and the EKS Cluster ARN.
+* Modify the kube-bench Configmap in `job-eks-asff.yaml` to specify the AWS account, AWS region, and the EKS Cluster ARN.
+* In the same file, modify the image specifed in the Job to use the kube-bench image pushed to your ECR
+* [Optional] - If you have created a dedicated IAM role to be used with kube-bench as described above in [Configure permissions in an IAM Role](#configure-permissions-in-an-iam-role), you will need to add the IAM role arn to the kube-bench ServiceAccount in `job-eks-asff.yaml`.
+* Make sure that `job-eks-asff.yaml` specifies the container image you just pushed to your ECR registry.
 
-## Modify the job configuration
-
-* Modify `job-eks.yaml` to specify the `--asff` flag, so that kube-bench writes output in ASFF format to Security Hub
-* Make sure that `job-eks.yaml` specifies the container image you just pushed to your ECR registry.
-
-You can now run kube-bench as a pod in your cluster: `kubectl apply -f job-eks.yaml`
+You can now run kube-bench as a pod in your cluster: `kubectl apply -f job-eks-asff.yaml`
 
 Findings will be generated for any kube-bench test that generates a `[FAIL]` or `[WARN]` output. If all tests pass, no findings will be generated. However, it's recommended that you consult the pod log output to check whether any findings were generated but could not be written to Security Hub.
 
diff --git a/job-eks-asff.yaml b/job-eks-asff.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..741e282cd8a85bb4d5f26521a70dd10d9e0fa7d4
--- /dev/null
+++ b/job-eks-asff.yaml
@@ -0,0 +1,67 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-bench
+  # If using a dedicated IAM role for kube-bench, uncomment the annotations
+  # block below and replace the ROLE_ARN
+  # annotations:
+  #   eks.amazonaws.com/role-arn: "<ROLE_ARN>"
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kube-bench-eks-config
+data:
+  config.yaml: |
+    AWS_ACCOUNT: "<AWS_ACCT_NUMBER>"
+    AWS_REGION: "<AWS_REGION>"
+    CLUSTER_ARN: "<AWS_CLUSTER_ARN>"
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: kube-bench
+spec:
+  template:
+    spec:
+      hostPID: true
+      containers:
+        - name: kube-bench
+          # Push the image to your ECR and then refer to it here
+          image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
+          command: ["kube-bench", "node", "--benchmark", "eks-1.0", "--asff"]
+          volumeMounts:
+            - name: var-lib-kubelet
+              mountPath: /var/lib/kubelet
+              readOnly: true
+            - name: etc-systemd
+              mountPath: /etc/systemd
+              readOnly: true
+            - name: etc-kubernetes
+              mountPath: /etc/kubernetes
+              readOnly: true
+            - name: kube-bench-eks-config
+              mountPath: "/opt/kube-bench/cfg/eks-1.0/config.yaml"
+              subPath: config.yaml
+              readOnly: true
+      restartPolicy: Never
+      serviceAccountName: kube-bench
+      volumes:
+        - name: var-lib-kubelet
+          hostPath:
+            path: "/var/lib/kubelet"
+        - name: etc-systemd
+          hostPath:
+            path: "/etc/systemd"
+        - name: etc-kubernetes
+          hostPath:
+            path: "/etc/kubernetes"
+        - name: kube-bench-eks-config
+          configMap:
+            name: kube-bench-eks-config
+            items:
+              - key: config.yaml
+                path: config.yaml
diff --git a/job-eks.yaml b/job-eks.yaml
index 7a51e7544914c848aa9fccfdad65cf233222cf24..720c428eb4d704b5074e36737d3037b29ef709e0 100644
--- a/job-eks.yaml
+++ b/job-eks.yaml
@@ -10,11 +10,9 @@ spec:
       containers:
         - name: kube-bench
           # Push the image to your ECR and then refer to it here
-          image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
-          # Use the --asff flag if you would like to send findings to AWS Security Hub
-          # Note that this requires you to rebuild a version of the kube-bench image
-          # after editing the cfg/eks-1.0/config.yaml with your account information
-          # command: ["kube-bench", "node", "--benchmark", "eks-1.0", "--asff"]
+          # image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
+          image: aquasec/kube-bench:latest
+          # To send findings to AWS Security Hub, refer to `job-eks-asff.yaml` instead
           command: ["kube-bench", "node", "--benchmark", "eks-1.0"]
           volumeMounts:
             - name: var-lib-kubelet