diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 727e21c..74f3751 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.74.1
+    rev: v1.76.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
diff --git a/README.md b/README.md
index 706a0a7..0eb426e 100644
--- a/README.md
+++ b/README.md
@@ -195,6 +195,7 @@ No modules.
 | <a name="input_key_hmac_users"></a> [key\_hmac\_users](#input\_key\_hmac\_users) | A list of IAM ARNs for [key HMAC users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-users-crypto) | `list(string)` | `[]` | no |
 | <a name="input_key_material_base64"></a> [key\_material\_base64](#input\_key\_material\_base64) | Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. External key only | `string` | `null` | no |
 | <a name="input_key_owners"></a> [key\_owners](#input\_key\_owners) | A list of IAM ARNs for those who will have full key permissions (`kms:*`) | `list(string)` | `[]` | no |
+| <a name="input_key_service_principals"></a> [key\_service\_principals](#input\_key\_service\_principals) | A map of IAM Services for [key principals](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html) | `map(any)` | `{}` | no |
 | <a name="input_key_service_users"></a> [key\_service\_users](#input\_key\_service\_users) | A list of IAM ARNs for [key service users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-service-integration) | `list(string)` | `[]` | no |
 | <a name="input_key_symmetric_encryption_users"></a> [key\_symmetric\_encryption\_users](#input\_key\_symmetric\_encryption\_users) | A list of IAM ARNs for [key symmetric encryption users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-users-crypto) | `list(string)` | `[]` | no |
 | <a name="input_key_usage"></a> [key\_usage](#input\_key\_usage) | Specifies the intended use of the key. Valid values: `ENCRYPT_DECRYPT` or `SIGN_VERIFY`. Defaults to `ENCRYPT_DECRYPT` | `string` | `null` | no |
diff --git a/examples/complete/README.md b/examples/complete/README.md
index b44867b..54119eb 100644
--- a/examples/complete/README.md
+++ b/examples/complete/README.md
@@ -48,6 +48,7 @@ Note that this example may create resources which will incur monetary charges on
 |------|------|
 | [aws_iam_role.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index fd3807f..9f767c9 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -16,6 +16,8 @@ locals {
 
 data "aws_caller_identity" "current" {}
 
+data "aws_region" "current" {}
+
 ################################################################################
 # KMS Module
 ################################################################################
@@ -40,6 +42,20 @@ module "kms_complete" {
   key_hmac_users                         = [local.current_identity]
   key_asymmetric_public_encryption_users = [local.current_identity]
   key_asymmetric_sign_verify_users       = [local.current_identity]
+  key_service_principals = {
+    "aws-logs" = {
+      sid = "aws-logs"
+      actions = [
+        "kms:Encrypt*",
+        "kms:Decrypt*",
+        "kms:ReEncrypt*",
+        "kms:GenerateDataKey*",
+        "kms:Describe*"
+      ]
+      resources  = ["*"]
+      principals = ["logs.${data.aws_region.current.name}.amazonaws.com"]
+    }
+  }
 
   # Aliases
   aliases = ["one", "foo/bar"]
diff --git a/main.tf b/main.tf
index 6cce3c8..dc7a3a1 100644
--- a/main.tf
+++ b/main.tf
@@ -242,6 +242,21 @@ data "aws_iam_policy_document" "this" {
       }
     }
   }
+
+  dynamic "statement" {
+    for_each = var.key_service_principals
+
+    content {
+      sid       = statement.value.sid
+      actions   = statement.value.actions
+      resources = statement.value.resources
+
+      principals {
+        type        = "Service"
+        identifiers = statement.value.principals
+      }
+    }
+  }
 }
 
 ################################################################################
diff --git a/variables.tf b/variables.tf
index c73d961..802f8ba 100644
--- a/variables.tf
+++ b/variables.tf
@@ -110,6 +110,12 @@ variable "key_users" {
   default     = []
 }
 
+variable "key_service_principals" {
+  description = "A map of IAM Services for [key principals](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html)"
+  type        = map(any)
+  default     = {}
+}
+
 variable "key_service_users" {
   description = "A list of IAM ARNs for [key service users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-service-integration)"
   type        = list(string)