diff --git a/go.mod b/go.mod
index 56f97458e58..db51ed1c398 100644
--- a/go.mod
+++ b/go.mod
@@ -21,7 +21,7 @@ require (
 	github.com/IBM/ibm-cos-sdk-go-config/v2 v2.0.4
 	github.com/IBM/ibm-hpcs-tke-sdk v0.0.0-20211109141421-a4b61b05f7d1
 	github.com/IBM/ibm-hpcs-uko-sdk v0.0.20-beta
-	github.com/IBM/keyprotect-go-client v0.12.2
+	github.com/IBM/keyprotect-go-client v0.14.0
 	github.com/IBM/networking-go-sdk v0.45.0
 	github.com/IBM/platform-services-go-sdk v0.62.10
 	github.com/IBM/project-go-sdk v0.2.8-1
diff --git a/go.sum b/go.sum
index 623e6911e2a..242acaee6c0 100644
--- a/go.sum
+++ b/go.sum
@@ -152,8 +152,8 @@ github.com/IBM/ibm-hpcs-tke-sdk v0.0.0-20211109141421-a4b61b05f7d1/go.mod h1:M2J
 github.com/IBM/ibm-hpcs-uko-sdk v0.0.20-beta h1:P1fdIfKsD9xvJQ5MHIEztPS9yfNf9x+VDTamaYcmqcs=
 github.com/IBM/ibm-hpcs-uko-sdk v0.0.20-beta/go.mod h1:MLVNHMYoKsvovJZ4v1gQCpIYtRDHTtoIHK6XztDZGsU=
 github.com/IBM/keyprotect-go-client v0.5.1/go.mod h1:5TwDM/4FRJq1ZOlwQL1xFahLWQ3TveR88VmL1u3njyI=
-github.com/IBM/keyprotect-go-client v0.12.2 h1:Cjxcqin9Pl0xz3MnxdiVd4v/eIa79xL3hQpSbwOr/DQ=
-github.com/IBM/keyprotect-go-client v0.12.2/go.mod h1:yr8h2noNgU8vcbs+vhqoXp3Lmv73PI0zAc6VMgFvWwM=
+github.com/IBM/keyprotect-go-client v0.14.0 h1:GqgK3BdczA/w7+B1RxEPLya0w9S/ZXi5YWKAxdW8vHQ=
+github.com/IBM/keyprotect-go-client v0.14.0/go.mod h1:cAt714Vnwnd03mmkBHHSJlDNRVthdRmJB6RePd4/B8Q=
 github.com/IBM/mqcloud-go-sdk v0.0.4 h1:gqMpoU5a0qJ0GETG4PQrkgeEEoaQLvbxRJnEe6ytvC4=
 github.com/IBM/mqcloud-go-sdk v0.0.4/go.mod h1:gQptHC6D+rxfg0muRFFGvTDmvl4YfiDE0uXkaRRewRk=
 github.com/IBM/networking-go-sdk v0.45.0 h1:tYgDhVDpgKvELNY7tcodbZ4ny9fatpEWM6PwtQcDe20=
diff --git a/ibm/flex/structures.go b/ibm/flex/structures.go
index e2c92e969b6..f5e1c525d8e 100644
--- a/ibm/flex/structures.go
+++ b/ibm/flex/structures.go
@@ -3157,12 +3157,25 @@ func FlattenInstancePolicy(policyType string, policies []kp.InstancePolicy) []ma
 			metricsMap = append(metricsMap, policyInstance)
 		}
 		if policy.PolicyType == "keyCreateImportAccess" {
-			policyInstance["enabled"] = policy.PolicyData.Enabled
-			policyInstance["create_root_key"] = policy.PolicyData.Attributes.CreateRootKey
-			policyInstance["create_standard_key"] = policy.PolicyData.Attributes.CreateStandardKey
-			policyInstance["import_root_key"] = policy.PolicyData.Attributes.ImportRootKey
-			policyInstance["import_standard_key"] = policy.PolicyData.Attributes.ImportStandardKey
-			policyInstance["enforce_token"] = policy.PolicyData.Attributes.EnforceToken
+			if policy.PolicyData.Enabled != nil {
+				policyInstance["enabled"] = *policy.PolicyData.Enabled
+			}
+			if policy.PolicyData.Attributes.CreateRootKey != nil {
+				policyInstance["create_root_key"] = *policy.PolicyData.Attributes.CreateRootKey
+			}
+			if policy.PolicyData.Attributes.CreateStandardKey != nil {
+				policyInstance["create_standard_key"] = *policy.PolicyData.Attributes.CreateStandardKey
+			}
+			if policy.PolicyData.Attributes.ImportRootKey != nil {
+				policyInstance["import_root_key"] = *policy.PolicyData.Attributes.ImportRootKey
+			}
+			if policy.PolicyData.Attributes.ImportStandardKey != nil {
+				policyInstance["import_standard_key"] = *policy.PolicyData.Attributes.ImportStandardKey
+			}
+			if policy.PolicyData.Attributes.EnforceToken != nil {
+				policyInstance["enforce_token"] = *policy.PolicyData.Attributes.EnforceToken
+			}
+
 			keyCreateImportAccessMap = append(keyCreateImportAccessMap, policyInstance)
 		}
 	}
diff --git a/ibm/service/kms/resource_ibm_kms_instance_policies.go b/ibm/service/kms/resource_ibm_kms_instance_policies.go
index 2c0c78f6d1f..ac8bc197179 100644
--- a/ibm/service/kms/resource_ibm_kms_instance_policies.go
+++ b/ibm/service/kms/resource_ibm_kms_instance_policies.go
@@ -331,13 +331,30 @@ func policyCreateOrUpdate(context context.Context, d *schema.ResourceData, kpAPI
 	if kciaip, ok := d.GetOk("key_create_import_access"); ok {
 		kciaipList := kciaip.([]interface{})
 		if len(kciaipList) != 0 {
-			mulPolicy.KeyCreateImportAccess = &kp.KeyCreateImportAccessInstancePolicy{
-				Enabled:           kciaipList[0].(map[string]interface{})["enabled"].(bool),
-				CreateRootKey:     kciaipList[0].(map[string]interface{})["create_root_key"].(bool),
-				CreateStandardKey: kciaipList[0].(map[string]interface{})["create_standard_key"].(bool),
-				ImportRootKey:     kciaipList[0].(map[string]interface{})["import_root_key"].(bool),
-				ImportStandardKey: kciaipList[0].(map[string]interface{})["import_standard_key"].(bool),
-				EnforceToken:      kciaipList[0].(map[string]interface{})["enforce_token"].(bool),
+			enabled := kciaipList[0].(map[string]interface{})["enabled"].(bool)
+			create_root_key := kciaipList[0].(map[string]interface{})["create_root_key"].(bool)
+			create_standard_key := kciaipList[0].(map[string]interface{})["create_standard_key"].(bool)
+			import_root_key := kciaipList[0].(map[string]interface{})["import_root_key"].(bool)
+			import_standard_key := kciaipList[0].(map[string]interface{})["import_standard_key"].(bool)
+			enforce_token := kciaipList[0].(map[string]interface{})["enforce_token"].(bool)
+
+			// we must make sure not to attempt any updates on attributes when enabled is false or face input validation errors
+			if enabled {
+				mulPolicy.KeyCreateImportAccess = &kp.KeyCreateImportAccessInstancePolicy{
+					Enabled: enabled,
+					Attributes: &kp.KeyCreateImportAccessInstancePolicyAttributes{
+						CreateRootKey:     &create_root_key,
+						CreateStandardKey: &create_standard_key,
+						ImportRootKey:     &import_root_key,
+						ImportStandardKey: &import_standard_key,
+						EnforceToken:      &enforce_token,
+					},
+				}
+			} else {
+				mulPolicy.KeyCreateImportAccess = &kp.KeyCreateImportAccessInstancePolicy{
+					Enabled:    enabled,
+					Attributes: nil,
+				}
 			}
 		}
 	}
diff --git a/website/docs/r/kms_instance_policies.html.markdown b/website/docs/r/kms_instance_policies.html.markdown
index 277edfea42e..314b70f4557 100644
--- a/website/docs/r/kms_instance_policies.html.markdown
+++ b/website/docs/r/kms_instance_policies.html.markdown
@@ -40,14 +40,30 @@ resource "ibm_kms_instance_policies" "instance_policy" {
         enabled = true
     }
     key_create_import_access {
-      enable = true
+        enabled = true
     }
 }
 
 ```
 
 **NOTE** 
-- To create an instance policy, atleast one of the policy block as mentioned in the argument section is mandatory.
+- When setting `enabled=false`, you must not specify any other attributes for that policy. The below is an example of an invalid setting
+
+```terraform
+    key_create_import_access {
+        enabled = false
+        import_root_key = false
+    }
+```
+
+The extra attributes will be ignored and will not be updated, this can also cause state drift. Users are advised to only use the `enabled` attribute when disabling a policy
+
+```terraform
+    key_create_import_access {
+        enabled = false
+    }
+```
+
 
 - Policies `allowedIP` and `allowedNetwork` are not supported by instance_policies resource, and can be set using Context Based Restrictions (CBR).
 ## Argument reference