diff --git a/modules/webhook/direct/README.md b/modules/webhook/direct/README.md
index be9390c3..a07567bb 100644
--- a/modules/webhook/direct/README.md
+++ b/modules/webhook/direct/README.md
@@ -24,6 +24,7 @@ No modules.
 |------|------|
 | [aws_cloudwatch_log_group.webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_iam_role.webhook_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.webhook_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.webhook_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.webhook_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.webhook_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
diff --git a/modules/webhook/direct/webhook.tf b/modules/webhook/direct/webhook.tf
index 9fd24e3d..77ecbb8d 100644
--- a/modules/webhook/direct/webhook.tf
+++ b/modules/webhook/direct/webhook.tf
@@ -117,7 +117,15 @@ resource "aws_iam_role_policy" "webhook_sqs" {
 
   policy = templatefile("${path.module}/../policies/lambda-publish-sqs-policy.json", {
     sqs_resource_arns = jsonencode(var.config.sqs_job_queues_arns)
-    kms_key_arn       = var.config.kms_key_arn != null ? var.config.kms_key_arn : ""
+  })
+}
+
+resource "aws_iam_role_policy" "webhook_kms" {
+  name = "kms-policy"
+  role = aws_iam_role.webhook_lambda.name
+
+  policy = templatefile("${path.module}/../policies/lambda-kms.json", {
+    kms_key_arn = var.config.kms_key_arn != null ? var.config.kms_key_arn : "arn:${var.config.aws_partition}:kms:::CMK_NOT_IN_USE"
   })
 }
 
@@ -128,7 +136,6 @@ resource "aws_iam_role_policy" "webhook_workflow_job_sqs" {
 
   policy = templatefile("${path.module}/../policies/lambda-publish-sqs-policy.json", {
     sqs_resource_arns = jsonencode([var.config.sqs_workflow_job_queue.arn])
-    kms_key_arn       = var.config.kms_key_arn != null ? var.config.kms_key_arn : ""
   })
 }
 
diff --git a/modules/webhook/eventbridge/README.md b/modules/webhook/eventbridge/README.md
index 6426772d..c47a8863 100644
--- a/modules/webhook/eventbridge/README.md
+++ b/modules/webhook/eventbridge/README.md
@@ -30,11 +30,13 @@ No modules.
 | [aws_cloudwatch_log_group.webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_iam_role.dispatcher_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.webhook_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.dispatcher_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.dispatcher_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.dispatcher_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.dispatcher_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.dispatcher_xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.webhook_eventbridge](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.webhook_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.webhook_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.webhook_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
diff --git a/modules/webhook/eventbridge/dispatcher.tf b/modules/webhook/eventbridge/dispatcher.tf
index 93d9af84..19016091 100644
--- a/modules/webhook/eventbridge/dispatcher.tf
+++ b/modules/webhook/eventbridge/dispatcher.tf
@@ -116,7 +116,15 @@ resource "aws_iam_role_policy" "dispatcher_sqs" {
 
   policy = templatefile("${path.module}/../policies/lambda-publish-sqs-policy.json", {
     sqs_resource_arns = jsonencode(var.config.sqs_job_queues_arns)
-    kms_key_arn       = var.config.kms_key_arn != null ? var.config.kms_key_arn : ""
+  })
+}
+
+resource "aws_iam_role_policy" "dispatcher_kms" {
+  name = "kms-policy"
+  role = aws_iam_role.webhook_lambda.name
+
+  policy = templatefile("${path.module}/../policies/lambda-kms.json", {
+    kms_key_arn = var.config.kms_key_arn != null ? var.config.kms_key_arn : "arn:${var.config.aws_partition}:kms:::CMK_NOT_IN_USE"
   })
 }
 
diff --git a/modules/webhook/eventbridge/webhook.tf b/modules/webhook/eventbridge/webhook.tf
index 7c47a5d1..e914dd4a 100644
--- a/modules/webhook/eventbridge/webhook.tf
+++ b/modules/webhook/eventbridge/webhook.tf
@@ -127,6 +127,15 @@ resource "aws_iam_role_policy" "webhook_ssm" {
   })
 }
 
+resource "aws_iam_role_policy" "webhook_kms" {
+  name = "kms-policy"
+  role = aws_iam_role.webhook_lambda.name
+
+  policy = templatefile("${path.module}/../policies/lambda-kms.json", {
+    kms_key_arn = var.config.kms_key_arn != null ? var.config.kms_key_arn : "arn:${var.config.aws_partition}:kms:::CMK_NOT_IN_USE"
+  })
+}
+
 resource "aws_iam_role_policy" "xray" {
   count  = var.config.tracing_config.mode != null ? 1 : 0
   name   = "xray-policy"
diff --git a/modules/webhook/policies/lambda-kms.json b/modules/webhook/policies/lambda-kms.json
new file mode 100644
index 00000000..65c0d3aa
--- /dev/null
+++ b/modules/webhook/policies/lambda-kms.json
@@ -0,0 +1,13 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+        "Effect": "Allow",
+        "Action": [
+            "kms:Decrypt",
+            "kms:GenerateDataKey"
+        ],
+        "Resource": "${kms_key_arn}"
+    }
+  ]
+}
diff --git a/modules/webhook/policies/lambda-publish-sqs-policy.json b/modules/webhook/policies/lambda-publish-sqs-policy.json
index 6878ea12..03156087 100644
--- a/modules/webhook/policies/lambda-publish-sqs-policy.json
+++ b/modules/webhook/policies/lambda-publish-sqs-policy.json
@@ -5,16 +5,6 @@
       "Effect": "Allow",
       "Action": ["sqs:SendMessage", "sqs:GetQueueAttributes"],
       "Resource": ${sqs_resource_arns}
-      %{ if kms_key_arn != "" ~}
-    },
-    {
-        "Effect": "Allow",
-        "Action": [
-            "kms:Decrypt",
-            "kms:GenerateDataKey"
-        ],
-        "Resource": "${kms_key_arn}"
-    %{ endif ~}
     }
   ]
 }