diff --git a/infrastructure/cloud/modules/security/kms.tf b/infrastructure/cloud/modules/security/kms.tf
index 8089b5dc..819f4884 100644
--- a/infrastructure/cloud/modules/security/kms.tf
+++ b/infrastructure/cloud/modules/security/kms.tf
@@ -21,10 +21,24 @@ resource "aws_kms_alias" "kms_alias" {
 
 resource "aws_kms_key_policy" "kms_key_policy" {
   key_id = aws_kms_key.kms_key.id
+
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
+      # Allow full access to the key for administrators
+      {
+        Sid    = "EnableIAMUserPermissions"
+        Effect = "Allow"
+        Principal = {
+          AWS = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+        }
+        Action   = "kms:*"
+        Resource = "*"
+      },
+
+      # Allow CloudWatch Logs to use the key
       {
+        Sid    = "AllowCloudWatchLogsUsage"
         Effect = "Allow"
         Principal = {
           Service = "logs.amazonaws.com"