diff --git a/terraform/account-wide-infrastructure/dev/aws-backup.tf b/terraform/account-wide-infrastructure/dev/aws-backup.tf
index 8fe8ace39..b4e9b27a1 100644
--- a/terraform/account-wide-infrastructure/dev/aws-backup.tf
+++ b/terraform/account-wide-infrastructure/dev/aws-backup.tf
@@ -103,6 +103,14 @@ resource "aws_kms_key" "backup_notifications" {
         Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
         Resource = "*"
       },
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "backup.amazonaws.com"
+        }
+        Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
+        Resource = "*"
+      },
     ]
   })
 }
diff --git a/terraform/account-wide-infrastructure/prod/aws-backup.tf b/terraform/account-wide-infrastructure/prod/aws-backup.tf
index 05cd010fd..e86fed016 100644
--- a/terraform/account-wide-infrastructure/prod/aws-backup.tf
+++ b/terraform/account-wide-infrastructure/prod/aws-backup.tf
@@ -103,6 +103,14 @@ resource "aws_kms_key" "backup_notifications" {
         Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
         Resource = "*"
       },
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "backup.amazonaws.com"
+        }
+        Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
+        Resource = "*"
+      },
     ]
   })
 }
diff --git a/terraform/account-wide-infrastructure/test/aws-backup.tf b/terraform/account-wide-infrastructure/test/aws-backup.tf
index f4aec0652..7bd80f364 100644
--- a/terraform/account-wide-infrastructure/test/aws-backup.tf
+++ b/terraform/account-wide-infrastructure/test/aws-backup.tf
@@ -103,6 +103,14 @@ resource "aws_kms_key" "backup_notifications" {
         Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
         Resource = "*"
       },
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "backup.amazonaws.com"
+        }
+        Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
+        Resource = "*"
+      },
     ]
   })
 }