From f3573b320d304cd1a4ac2d5e00451aa1982ba34d421c45d6d516124ef5aa7f18 Mon Sep 17 00:00:00 2001
From: xpk <xpk@headdesk.me>
Date: Fri, 6 Mar 2026 14:21:42 +0800
Subject: [PATCH] feat: adding more read permissions to kms key policy

---
 .../CustomerManagedKmsKeys/main.tf                           | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf b/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf
index 7bcc9d1..8d0c88d 100644
--- a/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf
+++ b/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf
@@ -641,7 +641,10 @@ data "aws_iam_policy_document" "base" {
             "kms:ListAliases",
             "kms:ListKeyPolicies",
             "kms:ListKeys",
-            "kms:ListResourceTags"
+            "kms:ListResourceTags",
+            "kms:GetKeyRotationStatus",
+            "kms:ListKeyRotations",
+            "kms:ListGrants"
           ],
           "Resource" : "*"
         },