{
"Sid": "Allow users or roles to use KMS to DynamoDB.",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account id>:<users or roles>/<users or roles name>"
},
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:<region code>:<account id>:key/<kms key id>"
}