diff --git a/s3-config-org/kms.tf b/s3-config-org/kms.tf
index 9e95c3e..0875327 100644
--- a/s3-config-org/kms.tf
+++ b/s3-config-org/kms.tf
@@ -64,12 +64,32 @@ data "aws_iam_policy_document" "key" {
       identifiers = [local.kms_admin_root]
     }
   }
+  statement {
+    sid    = "KMSDescribeKeyFromServices"
+    effect = "Allow"
+    actions = [
+      "kms:Describe*",
+      "kms:List*",
+    ]
+    resources = ["*"]
+    principals {
+      type = "service"
+      identifiers = [
+        "sqs.amazonaws.com",
+        "cloudtrail.amazonaws.com",
+        "sns.amazonaws.com",
+        "s3.amazonaws.com",
+      ]
+    }
+  }
   statement {
     sid    = "AWSConfigKMSPolicy"
     effect = "Allow"
     actions = [
       "kms:Decrypt",
+      "kms:Encrypt",
       "kms:GenerateDataKey",
+      "kms:ReEncrypt",
     ]
     principals {
       type        = "Service"
@@ -87,11 +107,13 @@ data "aws_iam_policy_document" "key" {
     effect = "Allow"
     actions = [
       "kms:Decrypt",
+      "kms:Encrypt",
       "kms:GenerateDataKey",
+      "kms:ReEncrypt",
     ]
     principals {
       type        = "Service"
-      identifiers = ["sns.amazonaws.com"]
+      identifiers = ["sns.amazonaws.com", "s3.amazonaws.com"]
     }
     resources = ["*"]
     condition {
diff --git a/s3-config-org/sqs.s3.tf b/s3-config-org/sqs.s3.tf
index 4cf6201..3b023ce 100644
--- a/s3-config-org/sqs.s3.tf
+++ b/s3-config-org/sqs.s3.tf
@@ -105,7 +105,7 @@ data "aws_iam_policy_document" "config_org_s3_sqs" {
     condition {
       test     = "StringEquals"
       variable = "aws:SourceArn"
-      values   = [var.enable_s3_sns ? aws_sns_topic.config_org_s3[0].arn : ""]
+      values   = [var.enable_s3_sns ? aws_s3_bucket.config_org.arn : ""]
     }
   }
 }