diff --git a/.github/workflows/manual-terraform-plan.yaml b/.github/workflows/manual-terraform-apply.yaml
similarity index 95%
rename from .github/workflows/manual-terraform-plan.yaml
rename to .github/workflows/manual-terraform-apply.yaml
index 5fc47c39c..d81d2092e 100644
--- a/.github/workflows/manual-terraform-plan.yaml
+++ b/.github/workflows/manual-terraform-apply.yaml
@@ -1,4 +1,4 @@
-name: Manual Terraform Plan
+name: Manual Terraform Apply
 
 on:
   workflow_dispatch:
@@ -65,8 +65,8 @@ jobs:
         run: |
           mkdir -p ./build
           echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=plan args=\"-auto-approve\""
-          make terraform env=$ENVIRONMENT stack=networking tf-command=plan workspace=$WORKSPACE
+          make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE
           echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=plan args=\"-auto-approve\""
-          make terraform env=$ENVIRONMENT stack=api-layer tf-command=plan workspace=$WORKSPACE
+          make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE
 
         working-directory: ./infrastructure
diff --git a/infrastructure/stacks/api-layer/iam_policies.tf b/infrastructure/stacks/api-layer/iam_policies.tf
index 46e1d9e46..09cfcf6fc 100644
--- a/infrastructure/stacks/api-layer/iam_policies.tf
+++ b/infrastructure/stacks/api-layer/iam_policies.tf
@@ -150,7 +150,13 @@ data "aws_iam_policy_document" "dynamodb_kms_key_policy" {
       type        = "AWS"
       identifiers = [aws_iam_role.eligibility_lambda_role.arn]
     }
-    actions   = ["kms:Decrypt"]
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
     resources = ["*"]
   }
 }