diff --git a/pkg/instrumentation/podmutator_test.go b/pkg/instrumentation/podmutator_test.go
index 10bb604c1..88a58acca 100644
--- a/pkg/instrumentation/podmutator_test.go
+++ b/pkg/instrumentation/podmutator_test.go
@@ -220,7 +220,8 @@ func TestMutatePod(t *testing.T) {
 								Name:      javaVolumeName,
 								MountPath: javaInstrMountPath,
 							}},
-							Resources: testResourceRequirements,
+							Resources:       testResourceRequirements,
+							SecurityContext: restrictedSecurityContext,
 						},
 					},
 					Containers: []corev1.Container{
@@ -408,7 +409,8 @@ func TestMutatePod(t *testing.T) {
 								Name:      javaVolumeName,
 								MountPath: javaInstrMountPath,
 							}},
-							Resources: testResourceRequirements,
+							Resources:       testResourceRequirements,
+							SecurityContext: restrictedSecurityContext,
 						},
 					},
 					Containers: []corev1.Container{
@@ -3407,6 +3409,7 @@ func TestMutatePod(t *testing.T) {
 								Name:      javaVolumeName,
 								MountPath: javaInstrMountPath,
 							}},
+							SecurityContext: restrictedSecurityContext,
 						},
 						{
 							Name:    nodejsInitContainerName,
@@ -4065,6 +4068,7 @@ func TestMutatePod(t *testing.T) {
 								Name:      javaVolumeName,
 								MountPath: javaInstrMountPath,
 							}},
+							SecurityContext: restrictedSecurityContext,
 						},
 						{
 							Name:    nodejsInitContainerName,
diff --git a/pkg/instrumentation/sdk.go b/pkg/instrumentation/sdk.go
index 2fbe589b3..1e6be4921 100644
--- a/pkg/instrumentation/sdk.go
+++ b/pkg/instrumentation/sdk.go
@@ -21,6 +21,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/util/retry"
+	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/aws/amazon-cloudwatch-agent-operator/apis/v1alpha1"
@@ -99,9 +100,11 @@ func (i *sdkInjector) inject(ctx context.Context, insts languageInstrumentations
 			} else {
 				pod = i.injectCommonEnvVar(otelinst, pod, index)
 				pod = i.injectCommonSDKConfig(ctx, otelinst, ns, pod, index, index)
-				//disable setting security context in init container due to issue with runAsNonRoot conflict
-				//https://github.com/open-telemetry/opentelemetry-operator/issues/2272
-				//pod = i.setInitContainerSecurityContext(pod, pod.Spec.Containers[index].SecurityContext, javaInitContainerName)
+
+				// Set a minimal restricted-compliant securityContext without runAsNonRoot/runAsUser
+				// to avoid the runAsNonRoot conflict (https://github.com/open-telemetry/opentelemetry-operator/issues/2272)
+				// while still satisfying the restricted Pod Security Standard.
+				pod = i.setInitContainerRestrictedSecurityContext(pod, javaInitContainerName)
 			}
 		}
 	}
@@ -300,6 +303,23 @@ func (i *sdkInjector) setInitContainerSecurityContext(pod corev1.Pod, securityCo
 	return pod
 }
 
+func (i *sdkInjector) setInitContainerRestrictedSecurityContext(pod corev1.Pod, instrInitContainerName string) corev1.Pod {
+	for idx, initContainer := range pod.Spec.InitContainers {
+		if initContainer.Name == instrInitContainerName {
+			pod.Spec.InitContainers[idx].SecurityContext = &corev1.SecurityContext{
+				AllowPrivilegeEscalation: ptr.To(false),
+				Capabilities: &corev1.Capabilities{
+					Drop: []corev1.Capability{"ALL"},
+				},
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: corev1.SeccompProfileTypeRuntimeDefault,
+				},
+			}
+		}
+	}
+	return pod
+}
+
 func getContainerIndex(containerName string, pod corev1.Pod) int {
 	// We search for specific container to inject variables and if no one is found
 	// We fallback to first container
diff --git a/pkg/instrumentation/sdk_test.go b/pkg/instrumentation/sdk_test.go
index 43d2b1bef..41b7c6788 100644
--- a/pkg/instrumentation/sdk_test.go
+++ b/pkg/instrumentation/sdk_test.go
@@ -17,6 +17,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 
 	"github.com/aws/amazon-cloudwatch-agent-operator/apis/v1alpha1"
 )
@@ -34,6 +35,16 @@ var testResourceRequirements = corev1.ResourceRequirements{
 	},
 }
 
+var restrictedSecurityContext = &corev1.SecurityContext{
+	AllowPrivilegeEscalation: ptr.To(false),
+	Capabilities: &corev1.Capabilities{
+		Drop: []corev1.Capability{"ALL"},
+	},
+	SeccompProfile: &corev1.SeccompProfile{
+		Type: corev1.SeccompProfileTypeRuntimeDefault,
+	},
+}
+
 func TestSDKInjection(t *testing.T) {
 	ns := corev1.Namespace{
 		ObjectMeta: metav1.ObjectMeta{
@@ -529,7 +540,8 @@ func TestInjectJava(t *testing.T) {
 						Name:      javaVolumeName,
 						MountPath: javaInstrMountPath,
 					}},
-					Resources: testResourceRequirements,
+					Resources:       testResourceRequirements,
+					SecurityContext: restrictedSecurityContext,
 				},
 			},
 			Containers: []corev1.Container{
@@ -876,7 +888,8 @@ func TestInjectJavaAndPython(t *testing.T) {
 						Name:      javaVolumeName,
 						MountPath: javaInstrMountPath,
 					}},
-					Resources: testResourceRequirements,
+					Resources:       testResourceRequirements,
+					SecurityContext: restrictedSecurityContext,
 				},
 				{
 					Name:    pythonInitContainerName,
@@ -1178,7 +1191,8 @@ func TestInjectJavaPythonAndDotNet(t *testing.T) {
 						Name:      javaVolumeName,
 						MountPath: javaInstrMountPath,
 					}},
-					Resources: testResourceRequirements,
+					Resources:       testResourceRequirements,
+					SecurityContext: restrictedSecurityContext,
 				},
 				{
 					Name:    pythonInitContainerName,