diff --git a/common/README.md b/common/README.md
index 3f9c08f..392d60f 100644
--- a/common/README.md
+++ b/common/README.md
@@ -26,6 +26,7 @@ No modules.
 | [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
diff --git a/common/resources.tf b/common/resources.tf
index be47cd3..b3aba4e 100644
--- a/common/resources.tf
+++ b/common/resources.tf
@@ -14,8 +14,9 @@ locals {
   kms_key_arn  = aws_kms_key.key.arn
   kms_key_name = format("%s%s", local._prefixes["kms"], local.name)
 
-  kms_admin_root  = [format("arn:%v:iam::%v:root", local.partition, local.account_id)]
-  kms_admin_roles = compact(concat(local.kms_admin_root, var.kms_admin_roles))
+  kms_admin_root      = [format("arn:%v:iam::%v:root", local.partition, local.account_id)]
+  kms_admin_roles     = compact(concat(local.kms_admin_root, var.kms_admin_roles))
+  kms_policy_document = length(var.kms_policy_document) > 0 ? var.kms_policy_document : data.aws_iam_policy_document.empty.json
 
   condition_allowed_cidr = {
     "test" : "NotIpAddress"
@@ -239,7 +240,7 @@ resource "aws_kms_alias" "key" {
 # auto includes root
 data "aws_iam_policy_document" "key_admin" {
   statement {
-    sid       = "KMSAdminRoles"
+    sid       = "BuiltinKMSAdminRoles"
     effect    = "Allow"
     actions   = ["kms:*"]
     resources = ["*"]
@@ -253,6 +254,8 @@ data "aws_iam_policy_document" "key_admin" {
 data "aws_iam_policy_document" "key_policy_combined" {
   source_policy_documents = [
     data.aws_iam_policy_document.key_admin.json,
-    var.kms_policy_document
+    local.kms_policy_document
   ]
 }
+
+data "aws_iam_policy_document" "empty" {}