diff --git a/infra/airflow_dag_processor.tf b/infra/airflow_dag_processor.tf
index 9f5bf3c..f9cb663 100644
--- a/infra/airflow_dag_processor.tf
+++ b/infra/airflow_dag_processor.tf
@@ -224,6 +224,16 @@ data "aws_iam_policy_document" "airflow_team" {
     }
   }
 
+  dynamic "statement" {
+    for_each = length(var.airflow_dag_processors[count.index].keys) > 0 ? [1] : []
+    content {
+      actions = [
+        "kms:Decrypt",
+      ]
+      resources = var.airflow_dag_processors[count.index].keys
+    }
+  }
+
   statement {
     actions = [
       "logs:CreateLogGroup"
diff --git a/infra/main.tf b/infra/main.tf
index 0afb24e..776e861 100644
--- a/infra/main.tf
+++ b/infra/main.tf
@@ -180,7 +180,12 @@ variable "airflow_on" {
 variable "airflow_db_instance_class" {}
 variable "airflow_domain" {}
 variable "airflow_dag_processors" {
-  type    = list(object({ name = string, assume_roles = list(string), buckets = list(string) }))
+  type = list(object({
+    name         = string,
+    assume_roles = list(string),
+    buckets      = list(string),
+    keys         = list(string),
+  }))
   default = []
 }
 variable "airflow_bucket_infix" {}