diff --git a/infrastructure/terraform/components/app/data_iam_roles_sso_readonly.tf b/infrastructure/terraform/components/app/data_iam_roles_sso_readonly.tf
new file mode 100644
index 000000000..060fec1e2
--- /dev/null
+++ b/infrastructure/terraform/components/app/data_iam_roles_sso_readonly.tf
@@ -0,0 +1,4 @@
+data "aws_iam_roles" "sso_readonly" {
+  name_regex  = "AWSReservedSSO_${var.project}-readonly_.*"
+  path_prefix = "/aws-reserved/sso.amazonaws.com/${var.region}/"
+}
diff --git a/infrastructure/terraform/components/app/module_kms.tf b/infrastructure/terraform/components/app/module_kms.tf
index f9f8895f3..b7663669f 100644
--- a/infrastructure/terraform/components/app/module_kms.tf
+++ b/infrastructure/terraform/components/app/module_kms.tf
@@ -112,6 +112,22 @@ data "aws_iam_policy_document" "kms" {
     }
   }
 
+  statement {
+    sid    = "AllowSsoReadonlyDecrypt"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = [one(data.aws_iam_roles.sso_readonly.arns)]
+    }
+
+    actions = [
+      "kms:Decrypt",
+    ]
+
+    resources = ["*"]
+  }
+
   statement {
     sid    = "AllowEventBridgeAccessToLetterValidationQueue"
     effect = "Allow"