diff --git a/README.md b/README.md
index f10f5c5c4..56381a389 100644
--- a/README.md
+++ b/README.md
@@ -274,7 +274,7 @@ The difference between them and `staging` is that the promotion bucket `integrat
 
 #### Other Environments
 
-Blah not in secure pipelines
+The following accounts are not in secure pipelines.
 
 ###### Feature
 
@@ -299,6 +299,15 @@ It has a GitHub Action [Deploy to the production preview environment](.github/wo
 
 The deployments use a special role in the _production preview_ environment, `dap-production-preview-deploy-role`, much like the role in _feature_.
 
+#### Config for cross account data sync
+
+Because _production preview_ and _staging_ are used for cross account data sync, they have a single SSM parameter holding the name of the cross account data sync role.
+They use this to allow access to their SQS queues and usage of their KMS keys to enable the cross account data sync process.
+
+| Name                        | Description                                      |
+|-----------------------------|--------------------------------------------------|
+| CrossAccountDataSyncRoleARN | ARN of the role allowing cross account data sync |
+
 ## Additional Documents
 
 For a guide to how and why certain development decisions, coding practices, etc. were made, please refer to the [Development Decisions document](docs/development-decisions.md).
diff --git a/iac/main/base.yml b/iac/main/base.yml
index 6532633ed..3ffbbcf5c 100644
--- a/iac/main/base.yml
+++ b/iac/main/base.yml
@@ -88,6 +88,9 @@ Conditions:
   IsProduction: !Equals [!Ref Environment, production]
   IsProductionPreview: !Equals [!Ref Environment, production-preview]
   IsNotProductionPreview: !Not [!Equals [!Ref Environment, production-preview]]
+  IsCrossAccountDataSyncEnvironment: !Or
+    - !Condition IsStaging
+    - !Condition IsProductionPreview
   UsePlaceholderTxMAQueue: !Or
     - !Condition IsTest
     - !Condition IsFeature
diff --git a/iac/main/resources/event.yml b/iac/main/resources/event.yml
index 6cf131d58..3650ca2bf 100644
--- a/iac/main/resources/event.yml
+++ b/iac/main/resources/event.yml
@@ -5,6 +5,28 @@ EventConsumerQueue:
     QueueName: !Sub ${Environment}-placeholder-txma-event-queue
     KmsMasterKeyId: !GetAtt KmsKey.Arn
 
+EventConsumerQueuePolicy:
+  Type: AWS::SQS::QueuePolicy
+  Condition: IsCrossAccountDataSyncEnvironment
+  Properties:
+    PolicyDocument:
+      Version: 2012-10-17
+      Statement:
+        - Sid: __owner_statement
+          Effect: Allow
+          Action: 'sqs:*'
+          Resource: !GetAtt EventConsumerQueue.Arn
+          Principal:
+            AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
+        - Sid: __sender_statement
+          Effect: Allow
+          Action: sqs:SendMessage
+          Resource: !GetAtt EventConsumerQueue.Arn
+          Principal:
+            AWS: '{{resolve:ssm:CrossAccountDataSyncRoleARN}}'
+    Queues:
+      - !Ref EventConsumerQueue
+
 EventConsumerLambda:
   # checkov:skip=CKV_AWS_116: DLQ not needed for lambda driven by SQS
   Type: AWS::Serverless::Function
diff --git a/iac/main/resources/global.yml b/iac/main/resources/global.yml
index 18fc6d17f..18c9c6965 100644
--- a/iac/main/resources/global.yml
+++ b/iac/main/resources/global.yml
@@ -326,6 +326,17 @@ KmsKey:
             - kms:GenerateDataKey*
             - kms:Describe*
           Resource: '*'
+        - Condition: IsCrossAccountDataSyncEnvironment
+          Effect: Allow
+          Principal:
+            AWS: '{{resolve:ssm:CrossAccountDataSyncRoleARN}}'
+          Action:
+            - kms:Encrypt*
+            - kms:Decrypt*
+            - kms:ReEncrypt*
+            - kms:GenerateDataKey*
+            - kms:Describe*
+          Resource: '*'
 
 KmsKeyAlias:
   Type: AWS::KMS::Alias