diff --git a/0-bootstrap/sa.tf b/0-bootstrap/sa.tf
index b18d5c375..da23168b0 100644
--- a/0-bootstrap/sa.tf
+++ b/0-bootstrap/sa.tf
@@ -62,6 +62,7 @@ locals {
       "roles/accesscontextmanager.policyAdmin",
       "roles/resourcemanager.organizationAdmin",
       "roles/serviceusage.serviceUsageConsumer",
+      "roles/cloudkms.admin",
     ], local.common_roles)),
   }
 
diff --git a/1-org/envs/shared/README.md b/1-org/envs/shared/README.md
index bdd76d5dc..3ef32b23e 100644
--- a/1-org/envs/shared/README.md
+++ b/1-org/envs/shared/README.md
@@ -4,7 +4,6 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | billing\_export\_dataset\_location | The location of the dataset for billing data export. | `string` | `null` | no |
-| cai\_monitoring\_kms\_force\_destroy | If set to true, delete KMS keyring and keys when destroying the module; otherwise, destroying the module will fail if KMS keys are present. | `bool` | `false` | no |
 | create\_access\_context\_manager\_access\_policy | Whether to create access context manager access policy. | `bool` | `true` | no |
 | create\_unique\_tag\_key | Creates unique organization-wide tag keys by adding a random suffix to each key. | `bool` | `false` | no |
 | data\_access\_logs\_enabled | Enable Data Access logs of types DATA\_READ, DATA\_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN\_READ logs are enabled by default. | `bool` | `false` | no |
@@ -18,7 +17,7 @@
 | log\_export\_storage\_location | The location of the storage bucket used to export logs. | `string` | `null` | no |
 | log\_export\_storage\_retention\_policy | Configuration of the bucket's data retention policy for how long objects in the bucket should be retained. | <pre>object({<br>    is_locked             = bool<br>    retention_period_days = number<br>  })</pre> | `null` | no |
 | log\_export\_storage\_versioning | (Optional) Toggles bucket versioning, ability to retain a non-current object version when the live object version gets replaced or deleted. | `bool` | `false` | no |
-| project\_budget | Budget configuration for projects.<br>  budget\_amount: The amount to use as the budget.<br>  alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.<br>  alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.<br>  alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | <pre>object({<br>    dns_hub_budget_amount                       = optional(number, 1000)<br>    dns_hub_alert_spent_percents                = optional(list(number), [1.2])<br>    dns_hub_alert_pubsub_topic                  = optional(string, null)<br>    dns_hub_budget_alert_spend_basis            = optional(string, "FORECASTED_SPEND")<br>    base_net_hub_budget_amount                  = optional(number, 1000)<br>    base_net_hub_alert_spent_percents           = optional(list(number), [1.2])<br>    base_net_hub_alert_pubsub_topic             = optional(string, null)<br>    base_net_hub_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    base_network_budget_amount                  = optional(number, 1000)<br>    base_network_alert_spent_percents           = optional(list(number), [1.2])<br>    base_network_alert_pubsub_topic             = optional(string, null)<br>    base_network_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    restricted_net_hub_budget_amount            = optional(number, 1000)<br>    restricted_net_hub_alert_spent_percents     = optional(list(number), [1.2])<br>    restricted_net_hub_alert_pubsub_topic       = optional(string, null)<br>    restricted_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br>    restricted_network_budget_amount            = optional(number, 1000)<br>    restricted_network_alert_spent_percents     = optional(list(number), [1.2])<br>    restricted_network_alert_pubsub_topic       = optional(string, null)<br>    restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br>    interconnect_budget_amount                  = optional(number, 1000)<br>    interconnect_alert_spent_percents           = optional(list(number), [1.2])<br>    interconnect_alert_pubsub_topic             = optional(string, null)<br>    interconnect_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    org_secrets_budget_amount                   = optional(number, 1000)<br>    org_secrets_alert_spent_percents            = optional(list(number), [1.2])<br>    org_secrets_alert_pubsub_topic              = optional(string, null)<br>    org_secrets_budget_alert_spend_basis        = optional(string, "FORECASTED_SPEND")<br>    org_billing_export_budget_amount            = optional(number, 1000)<br>    org_billing_export_alert_spent_percents     = optional(list(number), [1.2])<br>    org_billing_export_alert_pubsub_topic       = optional(string, null)<br>    org_billing_export_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br>    org_audit_logs_budget_amount                = optional(number, 1000)<br>    org_audit_logs_alert_spent_percents         = optional(list(number), [1.2])<br>    org_audit_logs_alert_pubsub_topic           = optional(string, null)<br>    org_audit_logs_budget_alert_spend_basis     = optional(string, "FORECASTED_SPEND")<br>    org_kms_budget_amount                       = optional(number, 1000)<br>    org_kms_alert_spent_percents                = optional(list(number), [1.2])<br>    org_kms_alert_pubsub_topic                  = optional(string, null)<br>    org_kms_budget_alert_spend_basis            = optional(string, "FORECASTED_SPEND")<br>    scc_notifications_budget_amount             = optional(number, 1000)<br>    scc_notifications_alert_spent_percents      = optional(list(number), [1.2])<br>    scc_notifications_alert_pubsub_topic        = optional(string, null)<br>    scc_notifications_budget_alert_spend_basis  = optional(string, "FORECASTED_SPEND")<br>  })</pre> | `{}` | no |
+| project\_budget | Budget configuration for projects.<br>  budget\_amount: The amount to use as the budget.<br>  alert\_spent\_percents: A list of percentages of the budget to alert on when threshold is exceeded.<br>  alert\_pubsub\_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`.<br>  alert\_spend\_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are `CURRENT_SPEND` or `FORECASTED_SPEND` (default). | <pre>object({<br>    dns_hub_budget_amount                       = optional(number, 1000)<br>    dns_hub_alert_spent_percents                = optional(list(number), [1.2])<br>    dns_hub_alert_pubsub_topic                  = optional(string, null)<br>    dns_hub_budget_alert_spend_basis            = optional(string, "FORECASTED_SPEND")<br>    base_net_hub_budget_amount                  = optional(number, 1000)<br>    base_net_hub_alert_spent_percents           = optional(list(number), [1.2])<br>    base_net_hub_alert_pubsub_topic             = optional(string, null)<br>    base_net_hub_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    base_network_budget_amount                  = optional(number, 1000)<br>    base_network_alert_spent_percents           = optional(list(number), [1.2])<br>    base_network_alert_pubsub_topic             = optional(string, null)<br>    base_network_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    restricted_net_hub_budget_amount            = optional(number, 1000)<br>    restricted_net_hub_alert_spent_percents     = optional(list(number), [1.2])<br>    restricted_net_hub_alert_pubsub_topic       = optional(string, null)<br>    restricted_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br>    restricted_network_budget_amount            = optional(number, 1000)<br>    restricted_network_alert_spent_percents     = optional(list(number), [1.2])<br>    restricted_network_alert_pubsub_topic       = optional(string, null)<br>    restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br>    interconnect_budget_amount                  = optional(number, 1000)<br>    interconnect_alert_spent_percents           = optional(list(number), [1.2])<br>    interconnect_alert_pubsub_topic             = optional(string, null)<br>    interconnect_budget_alert_spend_basis       = optional(string, "FORECASTED_SPEND")<br>    org_secrets_budget_amount                   = optional(number, 1000)<br>    org_secrets_alert_spent_percents            = optional(list(number), [1.2])<br>    org_secrets_alert_pubsub_topic              = optional(string, null)<br>    org_secrets_budget_alert_spend_basis        = optional(string, "FORECASTED_SPEND")<br>    org_billing_export_budget_amount            = optional(number, 1000)<br>    org_billing_export_alert_spent_percents     = optional(list(number), [1.2])<br>    org_billing_export_alert_pubsub_topic       = optional(string, null)<br>    org_billing_export_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")<br>    org_audit_logs_budget_amount                = optional(number, 1000)<br>    org_audit_logs_alert_spent_percents         = optional(list(number), [1.2])<br>    org_audit_logs_alert_pubsub_topic           = optional(string, null)<br>    org_audit_logs_budget_alert_spend_basis     = optional(string, "FORECASTED_SPEND")<br>    common_kms_budget_amount                    = optional(number, 1000)<br>    common_kms_alert_spent_percents             = optional(list(number), [1.2])<br>    common_kms_alert_pubsub_topic               = optional(string, null)<br>    common_kms_budget_alert_spend_basis         = optional(string, "FORECASTED_SPEND")<br>    scc_notifications_budget_amount             = optional(number, 1000)<br>    scc_notifications_alert_spent_percents      = optional(list(number), [1.2])<br>    scc_notifications_alert_pubsub_topic        = optional(string, null)<br>    scc_notifications_budget_alert_spend_basis  = optional(string, "FORECASTED_SPEND")<br>  })</pre> | `{}` | no |
 | remote\_state\_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | `string` | n/a | yes |
 | scc\_notification\_filter | Filter used to create the Security Command Center Notification, you can see more details on how to create filters in https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications#create-filter | `string` | `"state = \"ACTIVE\""` | no |
 | scc\_notification\_name | Name of the Security Command Center Notification. It must be unique in the organization. Run `gcloud scc notifications describe <scc_notification_name> --organization=org_id` to check if it already exists. | `string` | n/a | yes |
@@ -35,6 +34,7 @@
 | cai\_monitoring\_bucket | CAI Monitoring Cloud Function Source Bucket name. |
 | cai\_monitoring\_topic | CAI Monitoring Cloud Function Pub/Sub Topic name. |
 | common\_folder\_name | The common folder name |
+| common\_kms\_project\_id | The org Cloud Key Management Service (KMS) project ID |
 | dns\_hub\_project\_id | The DNS hub project ID |
 | domains\_to\_allow | The list of domains to allow users from in IAM. |
 | interconnect\_project\_id | The Dedicated Interconnect project ID |
@@ -47,7 +47,6 @@
 | org\_audit\_logs\_project\_id | The org audit logs project ID. |
 | org\_billing\_export\_project\_id | The org billing export project ID |
 | org\_id | The organization id |
-| org\_kms\_project\_id | The org Cloud Key Management Service (KMS) project ID |
 | org\_secrets\_project\_id | The org secrets project ID |
 | parent\_resource\_id | The parent resource id |
 | parent\_resource\_type | The parent resource type |
diff --git a/1-org/envs/shared/cai_monitoring.tf b/1-org/envs/shared/cai_monitoring.tf
index ad8e7e545..6b613a3ab 100644
--- a/1-org/envs/shared/cai_monitoring.tf
+++ b/1-org/envs/shared/cai_monitoring.tf
@@ -14,17 +14,6 @@
  * limitations under the License.
  */
 
-module "kms" {
-  source  = "terraform-google-modules/kms/google"
-  version = "~> 2.1"
-
-  project_id      = module.scc_notifications.project_id
-  keyring         = "krg-cai-monitoring"
-  location        = local.default_region
-  keys            = ["key-cai-monitoring"]
-  prevent_destroy = !var.cai_monitoring_kms_force_destroy
-}
-
 module "cai_monitoring" {
   source = "../../modules/cai-monitoring"
 
@@ -32,6 +21,4 @@ module "cai_monitoring" {
   billing_account = local.billing_account
   project_id      = module.scc_notifications.project_id
   location        = local.default_region
-  enable_cmek     = true
-  encryption_key  = module.kms.keys["key-cai-monitoring"]
 }
diff --git a/1-org/envs/shared/iam.tf b/1-org/envs/shared/iam.tf
index 4db64643d..ca01ec678 100644
--- a/1-org/envs/shared/iam.tf
+++ b/1-org/envs/shared/iam.tf
@@ -184,7 +184,7 @@ resource "google_project_iam_member" "global_secrets_admin" {
 
 resource "google_project_iam_member" "kms_admin" {
   count   = var.gcp_groups.kms_admin != null ? 1 : 0
-  project = module.org_kms.project_id
+  project = module.common_kms.project_id
   role    = "roles/cloudkms.viewer"
   member  = "group:${var.gcp_groups.kms_admin}"
 }
diff --git a/1-org/envs/shared/outputs.tf b/1-org/envs/shared/outputs.tf
index 410c5fff1..5c705f50f 100644
--- a/1-org/envs/shared/outputs.tf
+++ b/1-org/envs/shared/outputs.tf
@@ -59,8 +59,8 @@ output "org_secrets_project_id" {
   description = "The org secrets project ID"
 }
 
-output "org_kms_project_id" {
-  value       = module.org_kms.project_id
+output "common_kms_project_id" {
+  value       = module.common_kms.project_id
   description = "The org Cloud Key Management Service (KMS) project ID"
 }
 
diff --git a/1-org/envs/shared/projects.tf b/1-org/envs/shared/projects.tf
index ce3be31cb..60e9e9e87 100644
--- a/1-org/envs/shared/projects.tf
+++ b/1-org/envs/shared/projects.tf
@@ -95,10 +95,10 @@ module "org_billing_export" {
 }
 
 /******************************************
-  Project for Org-wide KMS
+  Project for Common-folder KMS
 *****************************************/
 
-module "org_kms" {
+module "common_kms" {
   source  = "terraform-google-modules/project-factory/google"
   version = "~> 15.0"
 
@@ -122,10 +122,10 @@ module "org_kms" {
     vpc               = "none"
   }
 
-  budget_alert_pubsub_topic   = var.project_budget.org_kms_alert_pubsub_topic
-  budget_alert_spent_percents = var.project_budget.org_kms_alert_spent_percents
-  budget_amount               = var.project_budget.org_kms_budget_amount
-  budget_alert_spend_basis    = var.project_budget.org_kms_budget_alert_spend_basis
+  budget_alert_pubsub_topic   = var.project_budget.common_kms_alert_pubsub_topic
+  budget_alert_spent_percents = var.project_budget.common_kms_alert_spent_percents
+  budget_amount               = var.project_budget.common_kms_budget_amount
+  budget_alert_spend_basis    = var.project_budget.common_kms_budget_alert_spend_basis
 }
 
 /******************************************
diff --git a/1-org/envs/shared/variables.tf b/1-org/envs/shared/variables.tf
index 66c0a9a77..43d5fdaa0 100644
--- a/1-org/envs/shared/variables.tf
+++ b/1-org/envs/shared/variables.tf
@@ -133,10 +133,10 @@ variable "project_budget" {
     org_audit_logs_alert_spent_percents         = optional(list(number), [1.2])
     org_audit_logs_alert_pubsub_topic           = optional(string, null)
     org_audit_logs_budget_alert_spend_basis     = optional(string, "FORECASTED_SPEND")
-    org_kms_budget_amount                       = optional(number, 1000)
-    org_kms_alert_spent_percents                = optional(list(number), [1.2])
-    org_kms_alert_pubsub_topic                  = optional(string, null)
-    org_kms_budget_alert_spend_basis            = optional(string, "FORECASTED_SPEND")
+    common_kms_budget_amount                    = optional(number, 1000)
+    common_kms_alert_spent_percents             = optional(list(number), [1.2])
+    common_kms_alert_pubsub_topic               = optional(string, null)
+    common_kms_budget_alert_spend_basis         = optional(string, "FORECASTED_SPEND")
     scc_notifications_budget_amount             = optional(number, 1000)
     scc_notifications_alert_spent_percents      = optional(list(number), [1.2])
     scc_notifications_alert_pubsub_topic        = optional(string, null)
@@ -187,11 +187,6 @@ variable "create_unique_tag_key" {
   type        = bool
   default     = false
 }
-variable "cai_monitoring_kms_force_destroy" {
-  description = "If set to true, delete KMS keyring and keys when destroying the module; otherwise, destroying the module will fail if KMS keys are present."
-  type        = bool
-  default     = false
-}
 
 variable "tfc_org_name" {
   description = "Name of the TFC organization"
diff --git a/1-org/modules/cai-monitoring/iam.tf b/1-org/modules/cai-monitoring/iam.tf
index af723709c..48226d04b 100644
--- a/1-org/modules/cai-monitoring/iam.tf
+++ b/1-org/modules/cai-monitoring/iam.tf
@@ -46,15 +46,6 @@ data "google_storage_project_service_account" "gcs_sa" {
   project = var.project_id
 }
 
-// Encrypter/Decrypter role
-resource "google_kms_crypto_key_iam_member" "encrypter_decrypter" {
-  for_each = var.enable_cmek ? local.identities : {}
-
-  crypto_key_id = var.encryption_key
-  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member        = each.value
-}
-
 // Cloud Function SA
 resource "google_service_account" "cloudfunction" {
   account_id                   = "cai-monitoring"
@@ -80,7 +71,6 @@ resource "google_project_iam_member" "cloudfunction_iam" {
 resource "time_sleep" "wait_kms_iam" {
   create_duration = "60s"
   depends_on = [
-    google_kms_crypto_key_iam_member.encrypter_decrypter,
     google_organization_iam_member.cloudfunction_findings_editor,
     google_project_iam_member.cloudfunction_iam
   ]
diff --git a/4-projects/business_unit_1/development/README.md b/4-projects/business_unit_1/development/README.md
index 05729e0b1..e1fa6e324 100644
--- a/4-projects/business_unit_1/development/README.md
+++ b/4-projects/business_unit_1/development/README.md
@@ -21,7 +21,6 @@
 | base\_subnets\_self\_links | The self-links of subnets from base environment. |
 | bucket | The created storage bucket. |
 | default\_region | The default region for the project. |
-| env\_kms\_project | Project sample for KMS usage project ID. |
 | floating\_project | Project sample floating project. |
 | iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |
 | keyring | The name of the keyring. |
diff --git a/4-projects/business_unit_1/development/outputs.tf b/4-projects/business_unit_1/development/outputs.tf
index feef5c507..92a332bc6 100644
--- a/4-projects/business_unit_1/development/outputs.tf
+++ b/4-projects/business_unit_1/development/outputs.tf
@@ -79,11 +79,6 @@ output "peering_complete" {
   value       = module.env.peering_complete
 }
 
-output "env_kms_project" {
-  description = "Project sample for KMS usage project ID."
-  value       = module.env.env_kms_project
-}
-
 output "keyring" {
   description = "The name of the keyring."
   value       = module.env.keyring
diff --git a/4-projects/business_unit_1/nonproduction/README.md b/4-projects/business_unit_1/nonproduction/README.md
index 05729e0b1..e1fa6e324 100644
--- a/4-projects/business_unit_1/nonproduction/README.md
+++ b/4-projects/business_unit_1/nonproduction/README.md
@@ -21,7 +21,6 @@
 | base\_subnets\_self\_links | The self-links of subnets from base environment. |
 | bucket | The created storage bucket. |
 | default\_region | The default region for the project. |
-| env\_kms\_project | Project sample for KMS usage project ID. |
 | floating\_project | Project sample floating project. |
 | iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |
 | keyring | The name of the keyring. |
diff --git a/4-projects/business_unit_1/nonproduction/outputs.tf b/4-projects/business_unit_1/nonproduction/outputs.tf
index feef5c507..92a332bc6 100644
--- a/4-projects/business_unit_1/nonproduction/outputs.tf
+++ b/4-projects/business_unit_1/nonproduction/outputs.tf
@@ -79,11 +79,6 @@ output "peering_complete" {
   value       = module.env.peering_complete
 }
 
-output "env_kms_project" {
-  description = "Project sample for KMS usage project ID."
-  value       = module.env.env_kms_project
-}
-
 output "keyring" {
   description = "The name of the keyring."
   value       = module.env.keyring
diff --git a/4-projects/business_unit_1/production/README.md b/4-projects/business_unit_1/production/README.md
index 05729e0b1..e1fa6e324 100644
--- a/4-projects/business_unit_1/production/README.md
+++ b/4-projects/business_unit_1/production/README.md
@@ -21,7 +21,6 @@
 | base\_subnets\_self\_links | The self-links of subnets from base environment. |
 | bucket | The created storage bucket. |
 | default\_region | The default region for the project. |
-| env\_kms\_project | Project sample for KMS usage project ID. |
 | floating\_project | Project sample floating project. |
 | iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |
 | keyring | The name of the keyring. |
diff --git a/4-projects/business_unit_1/production/outputs.tf b/4-projects/business_unit_1/production/outputs.tf
index e8a821c7b..55b839cb4 100644
--- a/4-projects/business_unit_1/production/outputs.tf
+++ b/4-projects/business_unit_1/production/outputs.tf
@@ -79,11 +79,6 @@ output "peering_complete" {
   value       = module.env.peering_complete
 }
 
-output "env_kms_project" {
-  description = "Project sample for KMS usage project ID."
-  value       = module.env.env_kms_project
-}
-
 output "keyring" {
   description = "The name of the keyring."
   value       = module.env.keyring
diff --git a/4-projects/modules/base_env/README.md b/4-projects/modules/base_env/README.md
index 8e3acc392..9c4897ef3 100644
--- a/4-projects/modules/base_env/README.md
+++ b/4-projects/modules/base_env/README.md
@@ -36,7 +36,6 @@
 | base\_shared\_vpc\_project\_sa | Project sample base project SA. |
 | base\_subnets\_self\_links | The self-links of subnets from base environment. |
 | bucket | The created storage bucket. |
-| env\_kms\_project | Project sample for KMS usage project ID. |
 | floating\_project | Project sample floating project. |
 | iap\_firewall\_tags | The security tags created for IAP (SSH and RDP) firewall rules and to be used on the VM created on step 5-app-infra on the peering network project. |
 | keyring | The name of the keyring. |
diff --git a/4-projects/modules/base_env/example_storage_cmek.tf b/4-projects/modules/base_env/example_storage_cmek.tf
index f72e15d42..8b40250a7 100644
--- a/4-projects/modules/base_env/example_storage_cmek.tf
+++ b/4-projects/modules/base_env/example_storage_cmek.tf
@@ -14,27 +14,6 @@
  * limitations under the License.
  */
 
-module "env_kms_project" {
-  source = "../single_project"
-
-  org_id          = local.org_id
-  billing_account = local.billing_account
-  folder_id       = google_folder.env_business_unit.name
-  environment     = var.env
-  project_budget  = var.project_budget
-  project_suffix  = var.kms_prj_suffix
-  project_prefix  = local.project_prefix
-
-  activate_apis = ["logging.googleapis.com", "secretmanager.googleapis.com", "cloudkms.googleapis.com"]
-
-  # Metadata
-  application_name  = "${var.business_code}-sample-application"
-  billing_code      = "1234"
-  primary_contact   = "example@example.com"
-  secondary_contact = "example2@example.com"
-  business_code     = var.business_code
-}
-
 data "google_storage_project_service_account" "gcs_account" {
   project = module.base_shared_vpc_project.project_id
 }
@@ -43,7 +22,7 @@ module "kms" {
   source  = "terraform-google-modules/kms/google"
   version = "~> 2.1"
 
-  project_id          = module.env_kms_project.project_id
+  project_id          = local.kms_project_id
   keyring             = var.keyring_name
   location            = var.location_kms
   keys                = [var.key_name]
diff --git a/4-projects/modules/base_env/outputs.tf b/4-projects/modules/base_env/outputs.tf
index 469ddd7f8..565910d96 100644
--- a/4-projects/modules/base_env/outputs.tf
+++ b/4-projects/modules/base_env/outputs.tf
@@ -79,11 +79,6 @@ output "peering_complete" {
   value       = module.peering.complete
 }
 
-output "env_kms_project" {
-  description = "Project sample for KMS usage project ID."
-  value       = module.env_kms_project.project_id
-}
-
 output "keyring" {
   description = "The name of the keyring."
   value       = module.kms.keyring
diff --git a/4-projects/modules/base_env/remote.tf b/4-projects/modules/base_env/remote.tf
index c49c9f0b8..36a78f2d7 100644
--- a/4-projects/modules/base_env/remote.tf
+++ b/4-projects/modules/base_env/remote.tf
@@ -29,6 +29,7 @@ locals {
   env_folder_name                     = data.terraform_remote_state.environments_env.outputs.env_folder
   app_infra_pipeline_service_accounts = data.terraform_remote_state.business_unit_shared.outputs.terraform_service_accounts
   enable_cloudbuild_deploy            = data.terraform_remote_state.business_unit_shared.outputs.enable_cloudbuild_deploy
+  kms_project_id                      = data.terraform_remote_state.environments_env.outputs.env_kms_project_id
 }
 
 data "terraform_remote_state" "bootstrap" {
diff --git a/README.md b/README.md
index a9aad504d..71f5f004f 100644
--- a/README.md
+++ b/README.md
@@ -148,7 +148,7 @@ This will create the following folder and project structure:
 ```
 example-organization
 └── fldr-development
-    ├── prj-p-kms
+    ├── prj-d-kms
     └── prj-d-secrets
 └── fldr-nonproduction
     ├── prj-n-kms
@@ -202,39 +202,33 @@ Running this code as-is should generate a structure as shown below:
 example-organization/
 └── fldr-development
     └── fldr-development-bu1
-        ├── prj-d-bu1-kms
         ├── prj-d-bu1-sample-floating
         ├── prj-d-bu1-sample-base
         ├── prj-d-bu1-sample-restrict
         ├── prj-d-bu1-sample-peering
     └── fldr-development-bu2
-        ├── prj-d-bu2-kms
         ├── prj-d-bu2-sample-floating
         ├── prj-d-bu2-sample-base
         ├── prj-d-bu2-sample-restrict
         └── prj-d-bu2-sample-peering
 └── fldr-nonproduction
     └── fldr-nonproduction-bu1
-        ├── prj-n-bu1-kms
         ├── prj-n-bu1-sample-floating
         ├── prj-n-bu1-sample-base
         ├── prj-n-bu1-sample-restrict
         ├── prj-n-bu1-sample-peering
     └── fldr-nonproduction-bu2
-        ├── prj-n-bu2-kms
         ├── prj-n-bu2-sample-floating
         ├── prj-n-bu2-sample-base
         ├── prj-n-bu2-sample-restrict
         └── prj-n-bu2-sample-peering
 └── fldr-production
     └── fldr-production-bu1
-        ├── prj-p-bu1-kms
         ├── prj-p-bu1-sample-floating
         ├── prj-p-bu1-sample-base
         ├── prj-p-bu1-sample-restrict
         ├── prj-p-bu1-sample-peering
     └── fldr-production-bu2
-        ├── prj-p-bu2-kms
         ├── prj-p-bu2-sample-floating
         ├── prj-p-bu2-sample-base
         ├── prj-p-bu2-sample-restrict
@@ -285,13 +279,13 @@ example-organization
     ├── prj-d-kms
     └── prj-d-secrets
     └── fldr-development-bu1
-        ├── prj-d-bu1-kms
+
         ├── prj-d-bu1-sample-floating
         ├── prj-d-bu1-sample-base
         ├── prj-d-bu1-sample-restrict
         ├── prj-d-bu1-sample-peering
     └── fldr-development-bu2
-        ├── prj-d-bu2-kms
+
         ├── prj-d-bu2-sample-floating
         ├── prj-d-bu2-sample-base
         ├── prj-d-bu2-sample-restrict
@@ -300,13 +294,13 @@ example-organization
     ├── prj-n-kms
     └── prj-n-secrets
     └── fldr-nonproduction-bu1
-        ├── prj-n-bu1-kms
+
         ├── prj-n-bu1-sample-floating
         ├── prj-n-bu1-sample-base
         ├── prj-n-bu1-sample-restrict
         ├── prj-n-bu1-sample-peering
     └── fldr-nonproduction-bu2
-        ├── prj-n-bu2-kms
+
         ├── prj-n-bu2-sample-floating
         ├── prj-n-bu2-sample-base
         ├── prj-n-bu2-sample-restrict
@@ -315,13 +309,13 @@ example-organization
     ├── prj-p-kms
     └── prj-p-secrets
     └── fldr-production-bu1
-        ├── prj-p-bu1-kms
+
         ├── prj-p-bu1-sample-floating
         ├── prj-p-bu1-sample-base
         ├── prj-p-bu1-sample-restrict
         ├── prj-p-bu1-sample-peering
     └── fldr-production-bu2
-        ├── prj-p-bu2-kms
+
         ├── prj-p-bu2-sample-floating
         ├── prj-p-bu2-sample-base
         ├── prj-p-bu2-sample-restrict
diff --git a/helpers/foundation-deployer/global.tfvars.example b/helpers/foundation-deployer/global.tfvars.example
index 4ab6193e3..0347e625e 100644
--- a/helpers/foundation-deployer/global.tfvars.example
+++ b/helpers/foundation-deployer/global.tfvars.example
@@ -86,7 +86,6 @@ domains_to_allow                    = ["example.com"] # Must include the domain
 essential_contacts_domains_to_allow = ["@example.com"]
 
 scc_notification_name                       = "scc-notify"
-cai_monitoring_kms_force_destroy            = false
 audit_logs_table_delete_contents_on_destroy = false
 log_export_storage_force_destroy            = false
 log_export_storage_location                 = "US"
diff --git a/helpers/foundation-deployer/stages/apply.go b/helpers/foundation-deployer/stages/apply.go
index cb3625b41..90b6a9537 100644
--- a/helpers/foundation-deployer/stages/apply.go
+++ b/helpers/foundation-deployer/stages/apply.go
@@ -201,7 +201,6 @@ func DeployOrgStage(t testing.TB, s steps.Steps, tfvars GlobalTFVars, outputs Bo
 		EnableHubAndSpoke:                     tfvars.EnableHubAndSpoke,
 		CreateACMAPolicy:                      createACMAPolicy,
 		CreateUniqueTagKey:                    tfvars.CreateUniqueTagKey,
-		CaiMonitoringKmsForceDestroy:          tfvars.CaiMonitoringKmsForceDestroy,
 		AuditLogsTableDeleteContentsOnDestroy: tfvars.AuditLogsTableDeleteContentsOnDestroy,
 		LogExportStorageForceDestroy:          tfvars.LogExportStorageForceDestroy,
 		LogExportStorageLocation:              tfvars.LogExportStorageLocation,
diff --git a/helpers/foundation-deployer/stages/data.go b/helpers/foundation-deployer/stages/data.go
index 3a8adb1eb..6a40fed9f 100644
--- a/helpers/foundation-deployer/stages/data.go
+++ b/helpers/foundation-deployer/stages/data.go
@@ -143,7 +143,6 @@ type GlobalTFVars struct {
 	SccNotificationName                   string          `hcl:"scc_notification_name"`
 	ProjectPrefix                         *string         `hcl:"project_prefix"`
 	FolderPrefix                          *string         `hcl:"folder_prefix"`
-	CaiMonitoringKmsForceDestroy          *bool           `hcl:"cai_monitoring_kms_force_destroy"`
 	BucketForceDestroy                    *bool           `hcl:"bucket_force_destroy"`
 	BucketTfstateKmsForceDestroy          *bool           `hcl:"bucket_tfstate_kms_force_destroy"`
 	AuditLogsTableDeleteContentsOnDestroy *bool           `hcl:"audit_logs_table_delete_contents_on_destroy"`
@@ -216,7 +215,6 @@ type OrgTfvars struct {
 	EnableHubAndSpoke                     bool      `hcl:"enable_hub_and_spoke"`
 	CreateACMAPolicy                      bool      `hcl:"create_access_context_manager_access_policy"`
 	CreateUniqueTagKey                    bool      `hcl:"create_unique_tag_key"`
-	CaiMonitoringKmsForceDestroy          *bool     `hcl:"cai_monitoring_kms_force_destroy"`
 	AuditLogsTableDeleteContentsOnDestroy *bool     `hcl:"audit_logs_table_delete_contents_on_destroy"`
 	LogExportStorageForceDestroy          *bool     `hcl:"log_export_storage_force_destroy"`
 	LogExportStorageLocation              string    `hcl:"log_export_storage_location"`
diff --git a/helpers/foundation-deployer/stages/validate.go b/helpers/foundation-deployer/stages/validate.go
index 2a3aac52a..2f8a6d15b 100644
--- a/helpers/foundation-deployer/stages/validate.go
+++ b/helpers/foundation-deployer/stages/validate.go
@@ -108,9 +108,6 @@ func ValidateDestroyFlags(t testing.TB, g GlobalTFVars) {
 	if g.BucketTfstateKmsForceDestroy == nil || !*g.BucketTfstateKmsForceDestroy {
 		flags = append(flags, "bucket_tfstate_kms_force_destroy")
 	}
-	if g.CaiMonitoringKmsForceDestroy == nil || !*g.CaiMonitoringKmsForceDestroy {
-		flags = append(flags, "cai_monitoring_kms_force_destroy")
-	}
 
 	if len(flags) > 0 {
 		fmt.Println("# To use the feature to destroy the deployment created by this helper,")
diff --git a/test/integration/org/org_test.go b/test/integration/org/org_test.go
index fe31369d4..e5606e42b 100644
--- a/test/integration/org/org_test.go
+++ b/test/integration/org/org_test.go
@@ -41,7 +41,6 @@ func TestOrg(t *testing.T) {
 	vars := map[string]interface{}{
 		"remote_state_bucket":              backend_bucket,
 		"log_export_storage_force_destroy": "true",
-		"cai_monitoring_kms_force_destroy": "true",
 	}
 
 	backendConfig := map[string]interface{}{
@@ -301,7 +300,6 @@ func TestOrg(t *testing.T) {
 			caiTopic := org.GetStringOutput("cai_monitoring_topic")
 
 			caiSaEmail := fmt.Sprintf("cai-monitoring@%s.iam.gserviceaccount.com", sccProjectID)
-			caiKmsKey := fmt.Sprintf("projects/%s/locations/%s/keyRings/krg-cai-monitoring/cryptoKeys/key-cai-monitoring", sccProjectID, defaultRegion)
 			caiTopicFullName := fmt.Sprintf("projects/%s/topics/%s", sccProjectID, caiTopic)
 
 			// Cloud Function
@@ -313,12 +311,10 @@ func TestOrg(t *testing.T) {
 			// Cloud Function Storage Bucket
 			bktArgs := gcloud.WithCommonArgs([]string{"--project", sccProjectID, "--json"})
 			opSrcBucket := gcloud.Run(t, fmt.Sprintf("alpha storage ls --buckets gs://%s", caiBucket), bktArgs).Array()
-			assert.Equal(caiKmsKey, opSrcBucket[0].Get("metadata.encryption.defaultKmsKeyName").String(), fmt.Sprintf("Should have same KMS key: %s", caiKmsKey))
 			assert.Equal("true", opSrcBucket[0].Get("metadata.iamConfiguration.bucketPolicyOnly.enabled").String(), "Should have Bucket Policy Only enabled.")
 
 			// Cloud Function Artifact Registry
 			opAR := gcloud.Runf(t, "artifacts repositories describe %s --project %s --location %s", caiAr, sccProjectID, defaultRegion)
-			assert.Equal(caiKmsKey, opAR.Get("kmsKeyName").String(), fmt.Sprintf("Should have KMS Key: %s", caiKmsKey))
 			assert.Equal("DOCKER", opAR.Get("format").String(), "Should have type: DOCKER")
 
 			// Cloud Function Pub/Sub
@@ -417,7 +413,7 @@ func TestOrg(t *testing.T) {
 					},
 				},
 				{
-					output: "org_kms_project_id",
+					output: "common_kms_project_id",
 					apis: []string{
 						"logging.googleapis.com",
 						"cloudkms.googleapis.com",
diff --git a/test/integration/projects/projects_test.go b/test/integration/projects/projects_test.go
index 2812a50a7..1b50e507e 100644
--- a/test/integration/projects/projects_test.go
+++ b/test/integration/projects/projects_test.go
@@ -146,7 +146,6 @@ func TestProjects(t *testing.T) {
 						"base_shared_vpc_project",
 						"floating_project",
 						"peering_project",
-						"env_kms_project",
 						"restricted_shared_vpc_project",
 					} {
 						projectID := projects.GetStringOutput(projectOutput)