diff --git a/template.yaml b/template.yaml
index 9f43853..ab1d17b 100644
--- a/template.yaml
+++ b/template.yaml
@@ -181,6 +181,14 @@ Resources:
                 - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:root"
             Action: 'kms:*'
             Resource: '*'
+          - Effect: Allow
+            Principal:
+              Service:
+                -  cloudwatch.amazonaws.com
+            Action: 
+                - "kms:Decrypt"
+                - "kms:GenerateDataKey*"
+            Resource: '*'
 
 Outputs:
   WebApi: