"Policy": "{\n \"Version\" : \"2012-10-17\",\n \"Id\" : \"auto-acm-3\",\n \"Statement\" : [ {\n \"Sid\" : \"Allow creation of decryption grants\",\n \"Effect\" : \"Allow\",\n \"Principal\" : {\n \"AWS\" : \"*\"\n },\n \"Action\" : \"kms:CreateGrant\",\n \"Resource\" : \"*\",\n \"Condition\" : {\n \"StringEquals\" : {\n \"kms:CallerAccount\" : \"123456789012\",\n \"kms:ViaService\" : \"acm.us-east-1.amazonaws.com\"\n },\n \"ForAllValues:StringEquals\" : {\n \"kms:GrantOperations\" : \"Decrypt\"\n },\n \"Bool\" : {\n \"kms:GrantIsForAWSResource\" : \"true\"\n }\n }\n }, {\n \"Sid\" : \"Allow creation of encryption grant\",\n \"Effect\" : \"Allow\",\n \"Principal\" : {\n \"AWS\" : \"*\"\n },\n \"Action\" : \"kms:CreateGrant\",\n \"Resource\" : \"*\",\n \"Condition\" : {\n \"StringEquals\" : {\n \"kms:CallerAccount\" : \"123456789012\",\n \"kms:ViaService\" : \"acm.us-east-1.amazonaws.com\"\n },\n \"ForAllValues:StringEquals\" : {\n \"kms:GrantOperations\" : [ \"Encrypt\", \"ReEncryptFrom\", \"ReEncryptTo\" ]\n },\n \"Bool\" : {\n \"kms:GrantIsForAWSResource\" : \"true\"\n }\n }\n }, {\n \"Sid\" : \"Allowed operations for the key owner\",\n \"Effect\" : \"Allow\",\n \"Principal\" : {\n \"AWS\" : \"*\"\n },\n \"Action\" : [ \"kms:DescribeKey\", \"kms:ListGrants\", \"kms:RevokeGrant\", \"kms:GetKeyPolicy\" ],\n \"Resource\" : \"*\",\n \"Condition\" : {\n \"StringEquals\" : {\n \"kms:CallerAccount\" : \"123456789012\"\n }\n }\n }, {\n \"Sid\" : \"Deny re-encryption to any other key\",\n \"Effect\" : \"Deny\",\n \"Principal\" : {\n \"AWS\" : \"*\"\n },\n \"Action\" : \"kms:ReEncrypt*\",\n \"Resource\" : \"*\",\n \"Condition\" : {\n \"Bool\" : {\n \"kms:ReEncryptOnSameKey\" : \"false\"\n }\n }\n } ]\n}",