resource "aws_iam_policy" "kms_policy" {
  name        = "DSK_KeyManagementService"
  path        = "/"

  policy = jsonencode({
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "kms:Decrypt",
          "kms:GenerateDataKey"
        ],
        "Resource": [
          "arn:aws:kms:ap-northeast-2:508259851457:key/a48b1e88-a9bb-4d86-a481-ef54e2f40452"
        ]
      }
    ]
  })
}