Sign in to the AWS Management Console and open the AWS Identity and Access Management (IAM) console. Follow the steps mentioned below:

Prerequisites

Procedure

  1. In the left navigation pane, choose Encryption keys.
  2. For Region, choose the appropriate AWS Region.
  3. Choose the alias of the CMK whose key policy document you want to edit.
  4. On the Key Policy line, choose Switch to policy view.

  5. Add following statement in the key policy.

    1. {
       "Sid": "Allow SNS to use CMK",
       "Effect": "Allow",
       "Principal": {
       "Service": "sns.amazonaws.com"
       },
       "Action": [
       "kms:GenerateDataKey*",
       "kms:Decrypt"
       ],
       "Resource": "*"
      }

Results

Example:

What to do next