diff --git a/modules/scanning-delegate-role/main.tf b/modules/scanning-delegate-role/main.tf
index 1bba7024..ab4abcf2 100644
--- a/modules/scanning-delegate-role/main.tf
+++ b/modules/scanning-delegate-role/main.tf
@@ -205,19 +205,13 @@ data "aws_iam_policy_document" "scanning_orchestrator_policy_document" {
     resources = ["arn:${data.aws_partition.current.partition}:kms:*:*:key/*"]
 
     // The following conditions enforce that decrypt action
-    // can only be performed on snapshots from calls by ebs API.
+    // can only be performed from calls by ebs API.
     condition {
       test     = "ForAnyValue:StringEquals"
       variable = "kms:EncryptionContextKeys"
       values   = ["aws:ebs:id"]
     }
 
-    condition {
-      test     = "StringLike"
-      variable = "kms:EncryptionContext:aws:ebs:id"
-      values   = ["snap-*"]
-    }
-
     condition {
       test     = "StringLike"
       variable = "kms:ViaService"
@@ -378,19 +372,13 @@ data "aws_iam_policy_document" "scanning_worker_policy_document" {
     resources = ["arn:${data.aws_partition.current.partition}:kms:*:*:key/*"]
 
     // The following conditions enforce that decrypt action
-    // can only be performed on snapshots from calls by ebs API.
+    // can only be performed from calls by ebs API.
     condition {
       test     = "ForAnyValue:StringEquals"
       variable = "kms:EncryptionContextKeys"
       values   = ["aws:ebs:id"]
     }
 
-    condition {
-      test     = "StringLike"
-      variable = "kms:EncryptionContext:aws:ebs:id"
-      values   = ["snap-*"]
-    }
-
     condition {
       test     = "StringLike"
       variable = "kms:ViaService"