diff --git a/builtin/providers/aws/resource_aws_kms_key.go b/builtin/providers/aws/resource_aws_kms_key.go
index 2066839b7..90294dc87 100644
--- a/builtin/providers/aws/resource_aws_kms_key.go
+++ b/builtin/providers/aws/resource_aws_kms_key.go
@@ -46,9 +46,10 @@ func resourceAwsKmsKey() *schema.Resource {
 				},
 			},
 			"policy": &schema.Schema{
-				Type:     schema.TypeString,
-				Optional: true,
-				Computed: true,
+				Type:      schema.TypeString,
+				Optional:  true,
+				Computed:  true,
+				StateFunc: normalizeJson,
 			},
 			"deletion_window_in_days": &schema.Schema{
 				Type:     schema.TypeInt,
@@ -85,24 +86,24 @@ func resourceAwsKmsKeyCreate(d *schema.ResourceData, meta interface{}) error {
 	if err != nil {
 		return err
 	}
-	return resourceAwsKmsKeyReadResult(d, resp.KeyMetadata)
+
+	d.SetId(*resp.KeyMetadata.KeyId)
+
+	return resourceAwsKmsKeyRead(d, meta)
 }
 
 func resourceAwsKmsKeyRead(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*AWSClient).kmsconn
-	keyId := d.Get("key_id").(string)
 
 	req := &kms.DescribeKeyInput{
-		KeyId: aws.String(keyId),
+		KeyId: aws.String(d.Id()),
 	}
 	resp, err := conn.DescribeKey(req)
 	if err != nil {
 		return err
 	}
-	return resourceAwsKmsKeyReadResult(d, resp.KeyMetadata)
-}
+	metadata := resp.KeyMetadata
 
-func resourceAwsKmsKeyReadResult(d *schema.ResourceData, metadata *kms.KeyMetadata) error {
 	d.SetId(*metadata.KeyId)
 
 	d.Set("arn", metadata.Arn)
@@ -110,6 +111,16 @@ func resourceAwsKmsKeyReadResult(d *schema.ResourceData, metadata *kms.KeyMetada
 	d.Set("description", metadata.Description)
 	d.Set("key_usage", metadata.KeyUsage)
 
+	p, err := conn.GetKeyPolicy(&kms.GetKeyPolicyInput{
+		KeyId:      metadata.KeyId,
+		PolicyName: aws.String("default"),
+	})
+	if err != nil {
+		return err
+	}
+
+	d.Set("policy", normalizeJson(*p.Policy))
+
 	return nil
 }
 
@@ -151,7 +162,7 @@ func resourceAwsKmsKeyPolicyUpdate(conn *kms.KMS, d *schema.ResourceData) error
 
 	req := &kms.PutKeyPolicyInput{
 		KeyId:      aws.String(keyId),
-		Policy:     aws.String(policy),
+		Policy:     aws.String(normalizeJson(policy)),
 		PolicyName: aws.String("default"),
 	}
 	_, err := conn.PutKeyPolicy(req)