diff --git a/README.md b/README.md
index 736147e..e658362 100644
--- a/README.md
+++ b/README.md
@@ -47,9 +47,9 @@ Please contact your Engagement Manager if you have an existing CloudTrail with a
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0.0 |
-| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.1.3 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.7 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.1 |
 ## Inputs
 
 | Name | Description | Type | Default | Required |
@@ -66,7 +66,7 @@ Please contact your Engagement Manager if you have an existing CloudTrail with a
 | <a name="input_existing_cloudtrail_bucket_name"></a> [existing\_cloudtrail\_bucket\_name](#input\_existing\_cloudtrail\_bucket\_name) | The name of the existing bucket connected to the existing CloudTrail | `string` | `null` | no |
 | <a name="input_existing_cloudtrail_kms_key_arn"></a> [existing\_cloudtrail\_kms\_key\_arn](#input\_existing\_cloudtrail\_kms\_key\_arn) | The ARN of the KMS key used to encrypt existing CloudTrail bucket | `string` | `null` | no |
 | <a name="input_existing_cloudtrail_log_bucket_account_id"></a> [existing\_cloudtrail\_log\_bucket\_account\_id](#input\_existing\_cloudtrail\_log\_bucket\_account\_id) | Account id of AWS account where the existing cloudtrail log bucket is created. This is where the new SQS queue will be created | `string` | `null` | no |
-| <a name="input_existing_notification_kms_key_arn"></a> [existing\_notification\_kms\_key\_arn](#input\_existing\_notification\_kms\_key\_arn) | The ARN of the KMS key used to encrypt new SQS/SNS. If provided, please add key policy to enable IAM permission for the key from the log bucket account | `string` | `null` | no |
+| <a name="input_existing_notification_kms_key_arn"></a> [existing\_notification\_kms\_key\_arn](#input\_existing\_notification\_kms\_key\_arn) | The ARN of the KMS key used to encrypt new SQS/SNS. If provided, please add key policies to enable IAM permission for the account root, and allow `kms:GenerateDataKey` & `kms:Decrypt` actions to log bucket (principal:s3.amazonaws.com) & sns topic (principal:sns.amazonaws.com). | `string` | `null` | no |
 | <a name="input_existing_sns_topic_arn"></a> [existing\_sns\_topic\_arn](#input\_existing\_sns\_topic\_arn) | The ARN of the existing SNS Topic configured to be notified by the existing CloudTrail bucket. The S3 bucket notification configuration must have the s3:ObjectCreated:* event type checked. | `string` | `null` | no |
 | <a name="input_expel_assume_role_name"></a> [expel\_assume\_role\_name](#input\_expel\_assume\_role\_name) | The role name Expel will assume when authenticating. | `string` | `"ExpelTrailAssumeRole"` | no |
 | <a name="input_expel_assume_role_session_name"></a> [expel\_assume\_role\_session\_name](#input\_expel\_assume\_role\_session\_name) | The session name Expel will use when authenticating. | `string` | `"ExpelCloudTrailServiceSession"` | no |
@@ -101,6 +101,7 @@ Please contact your Engagement Manager if you have an existing CloudTrail with a
 | [aws_iam_role_policy_attachment.log_bucket_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_kms_key.cloudtrail_bucket_encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_kms_key.notification_encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_kms_key_policy.existing_notification_key_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key_policy) | resource |
 | [aws_s3_bucket.cloudtrail_access_log_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket.cloudtrail_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_logging.cloudtrail_bucket_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
@@ -124,6 +125,7 @@ Please contact your Engagement Manager if you have an existing CloudTrail with a
 | [aws_iam_policy_document.cloudtrail_bucket_iam_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cloudtrail_key_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cloudtrail_manager_iam_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.existing_notification_key_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.log_bucket_iam_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.mgmt_assume_role_iam_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.notification_key_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
diff --git a/terraform.tf b/terraform.tf
index e7cba67..41e8ad5 100644
--- a/terraform.tf
+++ b/terraform.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.0.0"
+      version = "~> 4.7"
       # For new & existing cloudtrail with resources in single aws account, set the log_bucket alias to default aws provider.
       # For existing cloudtrail with resources in different aws accounts, create an aws provider for the log_bucket account & pass it's alias.
       # See examples for reference.
@@ -11,8 +11,8 @@ terraform {
 
     random = {
       source  = "hashicorp/random"
-      version = ">= 3.1.3"
+      version = "~> 3.1"
     }
   }
-  required_version = ">= 1.1.0"
+  required_version = "~> 1.1"
 }
diff --git a/variables.tf b/variables.tf
index 9a12e83..679695a 100644
--- a/variables.tf
+++ b/variables.tf
@@ -96,7 +96,7 @@ variable "existing_cloudtrail_kms_key_arn" {
 }
 
 variable "existing_notification_kms_key_arn" {
-  description = "The ARN of the KMS key used to encrypt new SQS/SNS. If provided, please add key policy to enable IAM permission for the key from the log bucket account"
+  description = "The ARN of the KMS key used to encrypt new SQS/SNS. If provided, please add key policies to enable IAM permission for the account root, and allow `kms:GenerateDataKey` & `kms:Decrypt` actions to log bucket (principal:s3.amazonaws.com) & sns topic (principal:sns.amazonaws.com)."
   type        = string
   default     = null
 }