diff --git a/codebuild/main.tf b/codebuild/main.tf
index 9f4564c..c333217 100644
--- a/codebuild/main.tf
+++ b/codebuild/main.tf
@@ -93,6 +93,17 @@ data "aws_iam_policy_document" "ghe_runner_deploy" {
     resources = var.tfstate_dynamodb_arns
   }
 
+  statement {
+    sid    = "TfStateKMS"
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
+      "kms:DescribeKey",
+    ]
+    resources = var.tfstate_kms_key_arns
+  }
+
   # ── ECS ───────────────────────────────────────────────────────────────────
   statement {
     sid    = "ECS"
diff --git a/codebuild/variables.tf b/codebuild/variables.tf
index 4bf0822..b8696c3 100644
--- a/codebuild/variables.tf
+++ b/codebuild/variables.tf
@@ -98,3 +98,11 @@ variable "tfstate_dynamodb_arns" {
     "arn:aws-us-gov:dynamodb:us-gov-east-1:220615867784:table/tf_remote_state",
   ]
 }
+
+variable "tfstate_kms_key_arns" {
+  description = "ARNs of KMS keys used to encrypt Terraform state buckets. The CodeBuild role needs Decrypt/GenerateDataKey to read and write state."
+  type        = list(string)
+  default = [
+    "arn:aws-us-gov:kms:us-gov-east-1:229685449397:key/dd80db1a-1088-4f53-b930-fb2ddb739849",
+  ]
+}