diff --git a/standard/README.md b/standard/README.md
index 5536841..580a312 100644
--- a/standard/README.md
+++ b/standard/README.md
@@ -14,11 +14,26 @@ module "mybucket" {
 
   bucket_name = "mynormalbucket"
   access_log_bucket = "mylogbucket"
+  kms_admin_roles   = [ aws_iam_role.cloud-admin.arn ]
+
+  ## optional
+  # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
+}
+
+data "aws_iam_policy_document" "mypolicy" {
+  statement { }
 }
 ```
 
 This automaticaly creates an AWS KMS key used just for this bucket.
 
+It will set a key usage/management policy by default with the `root` account, along with any other
+roles in the variable `kms_admin_roles` list. This is **full** access to the KMS key.
+
+If `kms_policy_document` is provided it needs to be a valid IAM policy as would apply to key usage,
+such as read access (decrypt) or write access (encrypt, re-encrypt).  A later enhancement may be
+to provide variables granting read and write access to the key.
+
 ## Requirements
 
 No requirements.
@@ -45,7 +60,13 @@ No modules.
 | [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
@@ -60,7 +81,9 @@ No modules.
 | <a name="input_data_safeguards"></a> [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | `[]` | no |
 | <a name="input_enable_title26"></a> [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `false` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted.  The deletion may take a very long time based on the number of objects.  You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
+| <a name="input_kms_admin_roles"></a> [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key.  The root user is included by default. | `list(string)` | `[]` | no |
 | <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket).  This is currently ignored. | `string` | `""` | no |
+| <a name="input_kms_policy_document"></a> [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no |
 | <a name="input_metadata_tags"></a> [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here).  If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no |
 | <a name="input_require_explicit_encryption"></a> [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header.  Should not normally be needed. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
diff --git a/standard/main.tf b/standard/main.tf
index b7ea135..7892b35 100644
--- a/standard/main.tf
+++ b/standard/main.tf
@@ -15,10 +15,25 @@
 *
 *   bucket_name = "mynormalbucket"
 *   access_log_bucket = "mylogbucket"
+*   kms_admin_roles   = [ aws_iam_role.cloud-admin.arn ]
+*
+*   ## optional
+*   # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
+* }
+*
+* data "aws_iam_policy_document" "mypolicy" {
+*   statement { }
 * }
 * ```
 * 
 * This automaticaly creates an AWS KMS key used just for this bucket.
+*
+* It will set a key usage/management policy by default with the `root` account, along with any other
+* roles in the variable `kms_admin_roles` list. This is **full** access to the KMS key.
+*
+* If `kms_policy_document` is provided it needs to be a valid IAM policy as would apply to key usage,
+* such as read access (decrypt) or write access (encrypt, re-encrypt).  A later enhancement may be
+* to provide variables granting read and write access to the key.
 */
 
 locals {
diff --git a/title26/README.md b/title26/README.md
index fbc2a0c..8037d57 100644
--- a/title26/README.md
+++ b/title26/README.md
@@ -15,6 +15,14 @@ module "mybucket" {
   bucket_name = "myt26bucket"
   access_log_bucket = "mylogbucket"
   # enable_title26 = true
+  kms_admin_roles   = [ aws_iam_role.cloud-admin.arn ]
+
+  ## optional
+  # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
+}
+
+data "aws_iam_policy_document" "mypolicy" {
+  statement { }
 }
 ```
 
@@ -24,6 +32,13 @@ to make a comma separated list.
 
 This automaticaly creates an AWS KMS key used just for this bucket.
 
+It will set a key usage/management policy by default with the `root` account, along with any other
+roles in the variable `kms_admin_roles` list. This is **full** access to the KMS key.
+
+If `kms_policy_document` is provided it needs to be a valid IAM policy as would apply to key usage,
+such as read access (decrypt) or write access (encrypt, re-encrypt).  A later enhancement may be
+to provide variables granting read and write access to the key.
+
 ## Requirements
 
 No requirements.
@@ -50,7 +65,13 @@ No modules.
 | [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
@@ -65,7 +86,9 @@ No modules.
 | <a name="input_data_safeguards"></a> [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | <pre>[<br>  "title26"<br>]</pre> | no |
 | <a name="input_enable_title26"></a> [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `true` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted.  The deletion may take a very long time based on the number of objects.  You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
+| <a name="input_kms_admin_roles"></a> [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key.  The root user is included by default. | `list(string)` | `[]` | no |
 | <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket).  This is currently ignored. | `string` | `""` | no |
+| <a name="input_kms_policy_document"></a> [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no |
 | <a name="input_metadata_tags"></a> [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here).  If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no |
 | <a name="input_require_explicit_encryption"></a> [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header.  Should not normally be needed. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
diff --git a/title26/main.tf b/title26/main.tf
index aa2c325..e21add0 100644
--- a/title26/main.tf
+++ b/title26/main.tf
@@ -16,6 +16,14 @@
 *   bucket_name = "myt26bucket"
 *   access_log_bucket = "mylogbucket"
 *   # enable_title26 = true
+*   kms_admin_roles   = [ aws_iam_role.cloud-admin.arn ]
+*
+*   ## optional
+*   # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
+* }
+*
+* data "aws_iam_policy_document" "mypolicy" {
+*   statement { }
 * }
 * ```
 * 
@@ -24,6 +32,13 @@
 * to make a comma separated list.
 *
 * This automaticaly creates an AWS KMS key used just for this bucket.
+*
+* It will set a key usage/management policy by default with the `root` account, along with any other
+* roles in the variable `kms_admin_roles` list. This is **full** access to the KMS key.
+*
+* If `kms_policy_document` is provided it needs to be a valid IAM policy as would apply to key usage,
+* such as read access (decrypt) or write access (encrypt, re-encrypt).  A later enhancement may be
+* to provide variables granting read and write access to the key.
 */
 
 locals {