diff --git a/s3-config-org/README.md b/s3-config-org/README.md
index 9dcf9f6..8d90ba5 100644
--- a/s3-config-org/README.md
+++ b/s3-config-org/README.md
@@ -18,6 +18,7 @@ module "config_org" {
 
 # Links
 * https://cloudyadvice.com/2022/04/14/automated-enterprise-deployment-of-aws-config/
+* https://docs.aws.amazon.com/config/latest/developerguide/s3-kms-key-policy.html
 
 ## Requirements
 
diff --git a/s3-config-org/kms.tf b/s3-config-org/kms.tf
index 74c27fc..3abda83 100644
--- a/s3-config-org/kms.tf
+++ b/s3-config-org/kms.tf
@@ -51,7 +51,36 @@ data "aws_iam_policy_document" "key_admin" {
 
 data "aws_iam_policy_document" "empty" {}
 
-data "aws_iam_policy_document" "key" {}
+data "aws_iam_policy_document" "key" {
+  statement {
+    sid       = "IAMPermissionsAccessKMSManagement"
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+    principals {
+      type        = "AWS"
+      identifiers = [local.kms_admin_root]
+    }
+  }
+  statement {
+    sid    = "AWSConfigKMSPolicy"
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
+    ]
+    principals {
+      type        = "Service"
+      identifiers = ["config.amazonaws.com"]
+    }
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:PrincipalOrgId"
+      values   = [local.organization_id]
+    }
+  }
+}
 
 ## data "aws_iam_policy_document" "key" {
 ##   policy_id = "object-logging-cloud-trail"
diff --git a/s3-config-org/main.tf b/s3-config-org/main.tf
index 2c7ef12..f9d75ae 100644
--- a/s3-config-org/main.tf
+++ b/s3-config-org/main.tf
@@ -18,6 +18,7 @@
 *
 * # Links
 * * https://cloudyadvice.com/2022/04/14/automated-enterprise-deployment-of-aws-config/
+* * https://docs.aws.amazon.com/config/latest/developerguide/s3-kms-key-policy.html
 */
 
 locals {