diff --git a/infrastructure/sandbox/PreProvisioner/main.tf b/infrastructure/sandbox/PreProvisioner/main.tf
index f196c79312..5a86aaaca6 100644
--- a/infrastructure/sandbox/PreProvisioner/main.tf
+++ b/infrastructure/sandbox/PreProvisioner/main.tf
@@ -136,7 +136,7 @@ data "aws_iam_policy_document" "lambda" {
       "kms:GenerateDataKey*",
       "kms:Describe*"
     ]
-    resources = [aws_kms_key.ecr.arn, var.kms_key.arn]
+    resources = [aws_kms_key.ecr.arn, var.kms_key.arn, var.installer_kms_key.arn]
   }
 
   statement {
@@ -289,7 +289,7 @@ resource "aws_ecs_task_definition" "main" {
           },
           {
             name  = "TF_VAR_kms_key_arn"
-            value = var.kms_key.arn
+            value = var.installer_kms_key.arn
           },
           {
             name  = "TF_VAR_ecr_url"
diff --git a/infrastructure/sandbox/PreProvisioner/variables.tf b/infrastructure/sandbox/PreProvisioner/variables.tf
index 64e8585888..44a44ea341 100644
--- a/infrastructure/sandbox/PreProvisioner/variables.tf
+++ b/infrastructure/sandbox/PreProvisioner/variables.tf
@@ -8,6 +8,7 @@ variable "redis_cluster" {}
 variable "base_domain" {}
 variable "ecs_cluster" {}
 variable "kms_key" {}
+variable "installer_kms_key" {}
 variable "installer_bucket" {}
 variable "oidc_provider_arn" {}
 variable "oidc_provider" {}
diff --git a/infrastructure/sandbox/SharedInfrastructure/s3.tf b/infrastructure/sandbox/SharedInfrastructure/s3.tf
index 8f8708fc3e..4f10b98682 100644
--- a/infrastructure/sandbox/SharedInfrastructure/s3.tf
+++ b/infrastructure/sandbox/SharedInfrastructure/s3.tf
@@ -23,3 +23,12 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "installers" {
 output "installer_bucket" {
   value = aws_s3_bucket.installers
 }
+
+resource "aws_kms_key" "installers" {
+  deletion_window_in_days = 10
+  enable_key_rotation     = true
+}
+
+output "installer_kms_key" {
+  value = aws_kms_key.installers
+}
diff --git a/infrastructure/sandbox/main.tf b/infrastructure/sandbox/main.tf
index d6f1e2df12..acff8777ff 100644
--- a/infrastructure/sandbox/main.tf
+++ b/infrastructure/sandbox/main.tf
@@ -187,6 +187,7 @@ module "pre-provisioner" {
   prefix            = local.prefix
   vpc               = module.vpc
   kms_key           = aws_kms_key.main
+  installer_kms_key = module.SharedInfrastructure.installer_kms_key
   dynamodb_table    = aws_dynamodb_table.lifecycle-table
   remote_state      = module.remote_state
   mysql_secret      = module.shared-infrastructure.mysql_secret