diff --git a/infrastructure/main.tf b/infrastructure/main.tf
index d5c75c505..137f02566 100644
--- a/infrastructure/main.tf
+++ b/infrastructure/main.tf
@@ -79,3 +79,12 @@ data "aws_ssm_parameter" "apim_url" {
   name = "/repo/${var.environment}/user-input/apim-api-url"
 }
 
+data "terraform_remote_state" "shared" {
+  backend = "s3"
+
+  config = {
+    bucket = local.shared_terraform_state_bucket
+    key    = "env:/${var.shared_infra_workspace}/ndr/terraform.tfstate"
+    region = "eu-west-2"
+  }
+}
diff --git a/infrastructure/policies.tf b/infrastructure/policies.tf
index 034ca4a08..6d58526be 100644
--- a/infrastructure/policies.tf
+++ b/infrastructure/policies.tf
@@ -121,7 +121,7 @@ resource "aws_iam_policy" "mtls_access_ssm_policy" {
           "kms:Decrypt",
         ],
         Resource = [
-          module.pdm_encryption_key.kms_arn
+          local.common_name_kms_key_arn
         ]
       }
     ]
diff --git a/infrastructure/preprod.tfvars b/infrastructure/preprod.tfvars
index f5a253336..ed390e12d 100644
--- a/infrastructure/preprod.tfvars
+++ b/infrastructure/preprod.tfvars
@@ -1,4 +1,5 @@
 environment                       = "pre-prod"
+shared_infra_workspace            = "pre-prod"
 owner                             = "nhse/ndr-team"
 domain                            = "national-document-repository.nhs.uk"
 certificate_domain                = "pre-prod.national-document-repository.nhs.uk"
diff --git a/infrastructure/prod.tfvars b/infrastructure/prod.tfvars
index 904e6ad97..7f5dc9a76 100644
--- a/infrastructure/prod.tfvars
+++ b/infrastructure/prod.tfvars
@@ -1,4 +1,5 @@
 environment                       = "prod"
+shared_infra_workspace            = "prod"
 owner                             = "nhse/ndr-team"
 domain                            = "national-document-repository.nhs.uk"
 certificate_domain                = "national-document-repository.nhs.uk"
diff --git a/infrastructure/test.tfvars b/infrastructure/test.tfvars
index cd2b7f2fc..390a8ccd6 100644
--- a/infrastructure/test.tfvars
+++ b/infrastructure/test.tfvars
@@ -1,4 +1,5 @@
 environment                       = "test"
+shared_infra_workspace            = "ndr-test"
 owner                             = "nhse/ndr-team"
 domain                            = "access-request-fulfilment.patient-deductions.nhs.uk"
 certificate_domain                = "ndr-test.access-request-fulfilment.patient-deductions.nhs.uk"
diff --git a/infrastructure/variable.tf b/infrastructure/variable.tf
index 272a4cbfd..57e9f71e5 100644
--- a/infrastructure/variable.tf
+++ b/infrastructure/variable.tf
@@ -274,8 +274,10 @@ locals {
 
   apim_api_url = "https://${var.apim_environment}api.service.nhs.uk/national-document-repository/FHIR/R4"
 
-  truststore_bucket_id = local.is_sandbox ? "ndr-dev-${var.truststore_bucket_name}" : module.ndr-truststore[0].bucket_id
-  truststore_uri       = "s3://${local.truststore_bucket_id}/${var.ca_pem_filename}"
+  truststore_bucket_id          = local.is_sandbox ? "ndr-dev-${var.truststore_bucket_name}" : module.ndr-truststore[0].bucket_id
+  truststore_uri                = "s3://${local.truststore_bucket_id}/${var.ca_pem_filename}"
+  shared_terraform_state_bucket = "ndr-${var.environment}-terraform-state-${data.aws_caller_identity.current.account_id}"
+  common_name_kms_key_arn       = local.is_sandbox ? data.terraform_remote_state.shared.outputs.pdm_kms_key_arn : module.pdm_encryption_key.kms_arn
 }
 
 variable "nrl_api_endpoint_suffix" {
@@ -321,3 +323,9 @@ variable "ssh_key_management_dry_run" {
   type        = bool
   default     = false
 }
+
+variable "shared_infra_workspace" {
+  description = "Workspace that owns shared infra like SSM and KMS"
+  type        = string
+  default     = "ndr-dev"
+}