diff --git a/README.md b/README.md
index 2dedbaf..7897915 100644
--- a/README.md
+++ b/README.md
@@ -20,7 +20,7 @@ go test -count 1 -v .
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.13.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.42.0 |
 
 ## Modules
 
@@ -46,6 +46,8 @@ go test -count 1 -v .
 | <a name="input_kms_key_alias_name_prefix"></a> [kms\_key\_alias\_name\_prefix](#input\_kms\_key\_alias\_name\_prefix) | Prefix for KMS key alias. | `string` | n/a | yes |
 | <a name="input_kms_key_deletion_window"></a> [kms\_key\_deletion\_window](#input\_kms\_key\_deletion\_window) | Waiting period for scheduled KMS Key deletion. Can be 7-30 days. | `number` | `7` | no |
 | <a name="input_kms_key_description"></a> [kms\_key\_description](#input\_kms\_key\_description) | Description for the KMS key. | `string` | `""` | no |
+| <a name="input_kms_key_policy_default_identities"></a> [kms\_key\_policy\_default\_identities](#input\_kms\_key\_policy\_default\_identities) | A list of IAM ARNs for those who will have full key permissions (`kms:*`) | `list(string)` | `[]` | no |
+| <a name="input_kms_key_policy_default_services"></a> [kms\_key\_policy\_default\_services](#input\_kms\_key\_policy\_default\_services) | A list of services that will have full key permissions (`kms:*`) | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no |
 
 ## Outputs
diff --git a/main.tf b/main.tf
index ca51d48..91404cc 100644
--- a/main.tf
+++ b/main.tf
@@ -39,9 +39,18 @@ data "aws_iam_policy_document" "kms_access" {
     sid = "KMS Key Default"
     principals {
       type = "AWS"
-      identifiers = [
-        "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"
-      ]
+      identifiers = concat(
+        ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"],
+        var.kms_key_policy_default_identities
+      )
+    }
+
+    dynamic "principals" {
+      for_each = length(var.kms_key_policy_default_services) > 0 ? [1] : []
+      content {
+        type        = "Service"
+        identifiers = var.kms_key_policy_default_services
+      }
     }
 
     actions = [
diff --git a/variables.tf b/variables.tf
index 0cf5469..c42d7dd 100644
--- a/variables.tf
+++ b/variables.tf
@@ -4,6 +4,18 @@ variable "key_owners" {
   default     = []
 }
 
+variable "kms_key_policy_default_identities" {
+  description = "A list of IAM ARNs for those who will have full key permissions (`kms:*`)"
+  type        = list(string)
+  default     = []
+}
+
+variable "kms_key_policy_default_services" {
+  description = "A list of services that will have full key permissions (`kms:*`)"
+  type        = list(string)
+  default     = []
+}
+
 variable "kms_key_description" {
   description = "Description for the KMS key."
   type        = string