diff --git a/security/kms-key.yaml b/security/kms-key.yaml
index c7ced7dfe..0bff15b70 100644
--- a/security/kms-key.yaml
+++ b/security/kms-key.yaml
@@ -188,6 +188,7 @@ Resources:
               Service: 'cloudtrail.amazonaws.com'
             Action:
             - 'kms:GenerateDataKey*'
+            - 'kms:DescribeKey'
             Resource: '*'
             Condition:
               StringLike: