diff --git a/aws/components/topic/state.ftl b/aws/components/topic/state.ftl
index 4108b2ae..bf6d49c3 100644
--- a/aws/components/topic/state.ftl
+++ b/aws/components/topic/state.ftl
@@ -40,7 +40,10 @@
                     "publish" : [snsPublishPermission(topicId)] +
                                 (solution.Encrypted)?then(
                                     snsEncryptionStatement(
-                                        [ "kms:GenerateDataKey*" ],
+                                        [
+                                            "kms:GenerateDataKey*",
+                                            "kms:Decrypt"
+                                        ],
                                         (baselineIds["Encryption"])!"",
                                         getExistingReference(topicId, REGION_ATTRIBUTE_TYPE)
                                     ),