{
"Sid": "Allow users or roles to use KMS to S3.",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account id>:<users or roles>/<users or roles name>"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey*",
],
"Resource": "arn:aws:kms:<region code>:<account id>:key/<kms key id>"
}