diff --git a/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf b/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf
index 7bcc9d1..8d0c88d 100644
--- a/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf
+++ b/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf
@@ -641,7 +641,10 @@ data "aws_iam_policy_document" "base" {
             "kms:ListAliases",
             "kms:ListKeyPolicies",
             "kms:ListKeys",
-            "kms:ListResourceTags"
+            "kms:ListResourceTags",
+            "kms:GetKeyRotationStatus",
+            "kms:ListKeyRotations",
+            "kms:ListGrants"
           ],
           "Resource" : "*"
         },