diff --git a/modules/infrastructure/cloudtrail/kms.tf b/modules/infrastructure/cloudtrail/kms.tf
index b8231e2b..57279e18 100644
--- a/modules/infrastructure/cloudtrail/kms.tf
+++ b/modules/infrastructure/cloudtrail/kms.tf
@@ -21,7 +21,7 @@ data "aws_iam_policy_document" "cloudtrail_kms" {
     effect = "Allow"
     principals {
       # identifiers = ["arn:aws:iam::${data.aws_caller_identity.me.account_id}:root"]
-      identifiers = ["*"]
+      identifiers = [data.aws_iam_policy_document.me.account_id, aws_s3_bucket.cloudtrail.arn]
       type        = "AWS"
     }
     actions   = ["kms:*"]