{
    "Policy": "{\n  \"Version\" : \"2012-10-17\",\n  \"Id\" : \"auto-backup-1\",\n  \"Statement\" : [ {\n    \"Sid\" : \"Allow access through Backup for all principals in the account that are authorized to use Backup Storage\",\n    \"Effect\" : \"Allow\",\n    \"Principal\" : {\n      \"AWS\" : \"*\"\n    },\n    \"Action\" : [ \"kms:CreateGrant\", \"kms:Decrypt\", \"kms:GenerateDataKey*\" ],\n    \"Resource\" : \"*\",\n    \"Condition\" : {\n      \"StringEquals\" : {\n        \"kms:CallerAccount\" : \"433071079965\",\n        \"kms:ViaService\" : \"backup.ca-central-1.amazonaws.com\"\n      }\n    }\n  }, {\n    \"Sid\" : \"Allow direct access to key metadata to the account\",\n    \"Effect\" : \"Allow\",\n    \"Principal\" : {\n      \"AWS\" : \"arn:aws:iam::433071079965:root\"\n    },\n    \"Action\" : [ \"kms:Describe*\", \"kms:Get*\", \"kms:List*\", \"kms:RevokeGrant\" ],\n    \"Resource\" : \"*\"\n  } ]\n}"
}