diff --git a/terraform/account/kms.tf b/terraform/account/kms.tf
index e0eefee349..1688494aca 100644
--- a/terraform/account/kms.tf
+++ b/terraform/account/kms.tf
@@ -206,29 +206,16 @@ data "aws_iam_policy_document" "event_receiver_kms" {
   }
 
   statement {
-    sid       = "Key Administrator"
+    sid       = "Enable Root account permissions on Key"
     effect    = "Allow"
+    actions   = ["kms:*"]
     resources = ["*"]
-    actions = [
-      "kms:Create*",
-      "kms:Describe*",
-      "kms:Enable*",
-      "kms:List*",
-      "kms:Put*",
-      "kms:Update*",
-      "kms:Revoke*",
-      "kms:Disable*",
-      "kms:Get*",
-      "kms:Delete*",
-      "kms:TagResource",
-      "kms:UntagResource",
-      "kms:ScheduleKeyDeletion",
-      "kms:CancelKeyDeletion"
-    ]
 
     principals {
-      type        = "AWS"
-      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/breakglass"]
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
+      ]
     }
   }
 }