ystoneman/kms_policy.json

## kms_policy.json
{
    "Id": "only-cloudwatch-logs",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.us-east-1.amazonaws.com"
            },
            "Action": [
                "kms:Encrypt*",
                "kms:Decrypt*",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:Describe*"
            ],
            "Resource": "*",
            "Condition": {
                "ArnEquals": {
                    "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:us-east-1:123456789012:log-group:awesome-logs"
                }
            }
        }
    ]
}
	{
	"Id": "only-cloudwatch-logs",
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "Enable IAM User Permissions",
	"Effect": "Allow",
	"Principal": {
	"AWS": "arn:aws:iam::123456789012:root"
	},
	"Action": "kms:*",
	"Resource": "*"
	},
	{
	"Effect": "Allow",
	"Principal": {
	"Service": "logs.us-east-1.amazonaws.com"
	},
	"Action": [
	"kms:Encrypt*",
	"kms:Decrypt*",
	"kms:ReEncrypt*",
	"kms:GenerateDataKey*",
	"kms:Describe*"
	],
	"Resource": "*",
	"Condition": {
	"ArnEquals": {
	"kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:us-east-1:123456789012:log-group:awesome-logs"
	}
	}
	}
	]
	}