diff --git a/cloudtrail-key/main.tf b/cloudtrail-key/main.tf
index 518a947..a8e3fc1 100644
--- a/cloudtrail-key/main.tf
+++ b/cloudtrail-key/main.tf
@@ -257,6 +257,7 @@ data "aws_iam_policy_document" "key" {
     sid    = "CloudTrailKMSEncryptAccess"
     effect = "Allow"
     actions = [
+      "kms:Decrypt*",
       "kms:Encrypt*",
       "kms:ReEncrypt*",
       "kms:GenerateDataKey",
@@ -266,19 +267,19 @@ data "aws_iam_policy_document" "key" {
       type        = "Service"
       identifiers = ["cloudtrail.amazonaws.com"]
     }
-    condition {
-      test     = "StringLike"
-      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
-      values   = [format("arn:%v:cloudtrail:*:%v:trail/*", local.partition, local.account_id)]
-    }
+    #    condition {
+    #      test     = "StringLike"
+    #      variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+    #      values   = [format("arn:%v:cloudtrail:*:%v:trail/*", local.partition, local.account_id)]
+    #    }
   }
   # https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html
   statement {
     sid    = "Cloudwatch"
     effect = "Allow"
     actions = [
-      "kms:Encrypt*",
       "kms:Decrypt*",
+      "kms:Encrypt*",
       "kms:ReEncrypt*",
       "kms:GenerateDataKey*",
       "kms:Describe*"