AWS::KMS::Key:
  Properties: 
    Description: "\"Key Description\""
    Enabled: true
    EnableKeyRotation: true
    KeyPolicy: |
        { 
          "Id"            => "SharedKeyPolicy",
          "Version"       => "2012-10-17",
          "Statement"     => [
            {
              "Sid"       => "Allow access for Admin",
              "Effect"    => "Allow",
              "Principal" => {
                "AWS"     => "arn:aws:iam::ACCOUNT_ID:role/Administrator"
              },
              "Action"    => [
                "kms:*"
              ],
              "Resource"  => "*"
            },
            { 
              "Sid"       => "Allow access for Developers/Operators",
              "Effect"    => "Allow",
              "Principal" => {
                "AWS"     => "arn:aws:iam::ACCOUNT_ID:role/Developers"
              },
              "Action"    => [
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:Encrypt",
                "kms:GenerateRandom",
                "kms:GenerateDataKey",
                "kms:GenerateDataKeyWithoutPlaintext",
                "kms:GetKeyPolicy",
                "kms:GetKeyRotationStatus",
                "kms:ReEncrypt*",
                "kms:RetireGrant",
                "kms:RevokeGrant",
                "kms:CreateGrant"
              ],
              "Resource" => "*"
            }
          ]
        }