diff --git a/.changelog/21969.txt b/.changelog/21969.txt
new file mode 100644
index 00000000000..595760cf968
--- /dev/null
+++ b/.changelog/21969.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_kms_key: Fix order-related diffs in `policy`
+```
\ No newline at end of file
diff --git a/internal/service/kms/key.go b/internal/service/kms/key.go
index 510f541fe88..232b36966d4 100644
--- a/internal/service/kms/key.go
+++ b/internal/service/kms/key.go
@@ -199,7 +199,14 @@ func resourceKeyRead(d *schema.ResourceData, meta interface{}) error {
 	d.Set("key_id", key.metadata.KeyId)
 	d.Set("key_usage", key.metadata.KeyUsage)
 	d.Set("multi_region", key.metadata.MultiRegion)
-	d.Set("policy", key.policy)
+
+	policyToSet, err := verify.SecondJSONUnlessEquivalent(d.Get("policy").(string), key.policy)
+
+	if err != nil {
+		return fmt.Errorf("while setting policy (%s), encountered: %w", key.policy, err)
+	}
+
+	d.Set("policy", policyToSet)
 
 	tags := key.tags.IgnoreAWS().IgnoreConfig(ignoreTagsConfig)
 
diff --git a/internal/service/kms/key_test.go b/internal/service/kms/key_test.go
index 3522deb2bf4..a6aa15814fb 100644
--- a/internal/service/kms/key_test.go
+++ b/internal/service/kms/key_test.go
@@ -121,11 +121,11 @@ func TestAccKMSKey_asymmetricKey(t *testing.T) {
 	})
 }
 
-func TestAccKMSKey_policy(t *testing.T) {
+func TestAccKMSKey_Policy_basic(t *testing.T) {
 	var key kms.KeyMetadata
 	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
 	resourceName := "aws_kms_key.test"
-	expectedPolicyText := `{"Version":"2012-10-17","Id":"kms-tf-1","Statement":[{"Sid":"Enable IAM User Permissions","Effect":"Allow","Principal":{"AWS":"*"},"Action":"kms:*","Resource":"*"}]}`
+	expectedPolicyText := fmt.Sprintf(`{"Version":"2012-10-17","Id":%[1]q,"Statement":[{"Sid":"Enable IAM User Permissions","Effect":"Allow","Principal":{"AWS":"*"},"Action":"kms:*","Resource":"*"}]}`, rName)
 
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:     func() { acctest.PreCheck(t) },
@@ -156,7 +156,7 @@ func TestAccKMSKey_policy(t *testing.T) {
 	})
 }
 
-func TestAccKMSKey_policyBypass(t *testing.T) {
+func TestAccKMSKey_Policy_bypass(t *testing.T) {
 	var key kms.KeyMetadata
 	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
 	resourceName := "aws_kms_key.test"
@@ -188,7 +188,7 @@ func TestAccKMSKey_policyBypass(t *testing.T) {
 	})
 }
 
-func TestAccKMSKey_policyBypassUpdate(t *testing.T) {
+func TestAccKMSKey_Policy_bypassUpdate(t *testing.T) {
 	var before, after kms.KeyMetadata
 	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
 	resourceName := "aws_kms_key.test"
@@ -244,6 +244,49 @@ func TestAccKMSKey_Policy_iamRole(t *testing.T) {
 	})
 }
 
+// Reference: https://github.com/hashicorp/terraform-provider-aws/issues/11801
+func TestAccKMSKey_Policy_iamRoleOrder(t *testing.T) {
+	var key kms.KeyMetadata
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_kms_key.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { acctest.PreCheck(t) },
+		ErrorCheck:   acctest.ErrorCheck(t, kms.EndpointsID),
+		Providers:    acctest.Providers,
+		CheckDestroy: testAccCheckKeyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccKeyPolicyIAMMultiRoleConfig(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckKeyExists(resourceName, &key),
+				),
+			},
+			{
+				Config: testAccKeyPolicyIAMMultiRoleConfig(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckKeyExists(resourceName, &key),
+				),
+				PlanOnly: true,
+			},
+			{
+				Config: testAccKeyPolicyIAMMultiRoleConfig(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckKeyExists(resourceName, &key),
+				),
+				PlanOnly: true,
+			},
+			{
+				Config: testAccKeyPolicyIAMMultiRoleConfig(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckKeyExists(resourceName, &key),
+				),
+				PlanOnly: true,
+			},
+		},
+	})
+}
+
 // Reference: https://github.com/hashicorp/terraform-provider-aws/issues/7646
 func TestAccKMSKey_Policy_iamServiceLinkedRole(t *testing.T) {
 	var key kms.KeyMetadata
@@ -495,23 +538,19 @@ resource "aws_kms_key" "test" {
   description             = %[1]q
   deletion_window_in_days = 7
 
-  policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Id": "kms-tf-1",
-  "Statement": [
-    {
-      "Sid": "Enable IAM User Permissions",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": "kms:*",
-      "Resource": "*"
-    }
-  ]
-}
-POLICY
+  policy = jsonencode({
+    Id = %[1]q
+    Statement = [{
+      Sid    = "Enable IAM User Permissions"
+      Effect = "Allow"
+      Principal = {
+        AWS = "*"
+      }
+      Action   = "kms:*"
+      Resource = "*"
+    }]
+    Version = "2012-10-17"
+  })
 }
 `, rName)
 }
@@ -526,32 +565,30 @@ resource "aws_kms_key" "test" {
 
   bypass_policy_lockout_safety_check = %[2]t
 
-  policy = <<-POLICY
-    {
-      "Version": "2012-10-17",
-      "Id": "kms-tf-1",
-      "Statement": [
-        {
-          "Sid": "Enable IAM User Permissions",
-          "Effect": "Allow",
-          "Principal": {
-            "AWS": "${data.aws_caller_identity.current.arn}"
-          },
-          "Action": [
-            "kms:CreateKey",
-            "kms:DescribeKey",
-            "kms:ScheduleKeyDeletion",
-            "kms:Describe*",
-            "kms:Get*",
-            "kms:List*",
-            "kms:TagResource",
-            "kms:UntagResource"
-          ],
-          "Resource": "*"
+  policy = jsonencode({
+    Id = %[1]q
+    Statement = [
+      {
+        Action = [
+          "kms:CreateKey",
+          "kms:DescribeKey",
+          "kms:ScheduleKeyDeletion",
+          "kms:Describe*",
+          "kms:Get*",
+          "kms:List*",
+          "kms:TagResource",
+          "kms:UntagResource",
+        ]
+        Effect = "Allow"
+        Principal = {
+          AWS = data.aws_caller_identity.current.arn
         }
-      ]
-    }
-  POLICY
+        Resource = "*"
+        Sid      = "Enable IAM User Permissions"
+      },
+    ]
+    Version = "2012-10-17"
+  })
 }
 `, rName, bypassFlag)
 }
@@ -580,7 +617,7 @@ resource "aws_kms_key" "test" {
   deletion_window_in_days = 7
 
   policy = jsonencode({
-    Id = "kms-tf-1"
+    Id = %[1]q
     Statement = [
       {
         Action = "kms:*"
@@ -602,7 +639,7 @@ resource "aws_kms_key" "test" {
         ]
         Effect = "Allow"
         Principal = {
-          AWS = [aws_iam_role.test.arn]
+          AWS = aws_iam_role.test.arn
         }
 
         Resource = "*"
@@ -615,6 +652,131 @@ resource "aws_kms_key" "test" {
 `, rName)
 }
 
+func testAccKeyPolicyIAMMultiRoleConfig(rName string) string {
+	return fmt.Sprintf(`
+data "aws_partition" "current" {}
+
+resource "aws_iam_role" "test1" {
+  name = "%[1]s-sultan"
+
+  assume_role_policy = jsonencode({
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = "ec2.${data.aws_partition.current.dns_suffix}"
+      }
+    }]
+    Version = "2012-10-17"
+  })
+}
+
+resource "aws_iam_role" "test2" {
+  name = "%[1]s-shepard"
+
+  assume_role_policy = jsonencode({
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = "ec2.${data.aws_partition.current.dns_suffix}"
+      }
+    }]
+    Version = "2012-10-17"
+  })
+}
+
+resource "aws_iam_role" "test3" {
+  name = "%[1]s-tritonal"
+
+  assume_role_policy = jsonencode({
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = "ec2.${data.aws_partition.current.dns_suffix}"
+      }
+    }]
+    Version = "2012-10-17"
+  })
+}
+
+resource "aws_iam_role" "test4" {
+  name = "%[1]s-artlec"
+
+  assume_role_policy = jsonencode({
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = "ec2.${data.aws_partition.current.dns_suffix}"
+      }
+    }]
+    Version = "2012-10-17"
+  })
+}
+
+resource "aws_iam_role" "test5" {
+  name = "%[1]s-cazzette"
+
+  assume_role_policy = jsonencode({
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = "ec2.${data.aws_partition.current.dns_suffix}"
+      }
+    }]
+    Version = "2012-10-17"
+  })
+}
+
+data "aws_iam_policy_document" "test" {
+  policy_id = %[1]q
+  statement {
+    actions = [
+      "kms:*",
+    ]
+    effect = "Allow"
+    principals {
+      identifiers = ["*"]
+      type        = "AWS"
+    }
+    resources = ["*"]
+  }
+
+  statement {
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey",
+    ]
+    effect = "Allow"
+    principals {
+      identifiers = [
+        aws_iam_role.test2.arn,
+        aws_iam_role.test1.arn,
+        aws_iam_role.test4.arn,
+        aws_iam_role.test3.arn,
+        aws_iam_role.test5.arn,
+      ]
+      type = "AWS"
+    }
+    resources = ["*"]
+  }
+}
+
+resource "aws_kms_key" "test" {
+  description             = %[1]q
+  deletion_window_in_days = 7
+
+  policy = data.aws_iam_policy_document.test.json
+}
+`, rName)
+}
+
 func testAccKeyPolicyIAMServiceLinkedRoleConfig(rName string) string {
 	return fmt.Sprintf(`
 data "aws_partition" "current" {}
@@ -629,7 +791,7 @@ resource "aws_kms_key" "test" {
   deletion_window_in_days = 7
 
   policy = jsonencode({
-    Id = "kms-tf-1"
+    Id = %[1]q
     Statement = [
       {
         Action = "kms:*"
@@ -651,7 +813,7 @@ resource "aws_kms_key" "test" {
         ]
         Effect = "Allow"
         Principal = {
-          AWS = [aws_iam_service_linked_role.test.arn]
+          AWS = aws_iam_service_linked_role.test.arn
         }
 
         Resource = "*"
diff --git a/internal/verify/diff.go b/internal/verify/diff.go
index 93ae8e1f09e..b9085768184 100644
--- a/internal/verify/diff.go
+++ b/internal/verify/diff.go
@@ -1,19 +1,17 @@
 package verify
 
 import (
-	"bytes"
 	"context"
-	"encoding/json"
 	"fmt"
-	"log"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-provider-aws/internal/conns"
 	tftags "github.com/hashicorp/terraform-provider-aws/internal/tags"
-	awspolicy "github.com/jen20/awspolicyequivalence"
 )
 
+// Find JSON diff functions in the json.go file.
+
 // SetTagsDiff sets the new plan difference with the result of
 // merging resource tags on to those defined at the provider-level;
 // returns an error if unsuccessful or if the resource tags are identical
@@ -55,15 +53,6 @@ func SetTagsDiff(_ context.Context, diff *schema.ResourceDiff, meta interface{})
 	return nil
 }
 
-func SuppressEquivalentPolicyDiffs(k, old, new string, d *schema.ResourceData) bool {
-	equivalent, err := awspolicy.PoliciesAreEquivalent(old, new)
-	if err != nil {
-		return false
-	}
-
-	return equivalent
-}
-
 // SuppressEquivalentTypeStringBoolean provides custom difference suppression for TypeString booleans
 // Some arguments require three values: true, false, and "" (unspecified), but
 // confusing behavior exists when converting bare true/false values with state.
@@ -85,38 +74,6 @@ func SuppressMissingOptionalConfigurationBlock(k, old, new string, d *schema.Res
 	return old == "1" && new == "0"
 }
 
-func SuppressEquivalentJSONDiffs(k, old, new string, d *schema.ResourceData) bool {
-	ob := bytes.NewBufferString("")
-	if err := json.Compact(ob, []byte(old)); err != nil {
-		return false
-	}
-
-	nb := bytes.NewBufferString("")
-	if err := json.Compact(nb, []byte(new)); err != nil {
-		return false
-	}
-
-	return JSONBytesEqual(ob.Bytes(), nb.Bytes())
-}
-
-func SuppressEquivalentJSONOrYAMLDiffs(k, old, new string, d *schema.ResourceData) bool {
-	normalizedOld, err := NormalizeJSONOrYAMLString(old)
-
-	if err != nil {
-		log.Printf("[WARN] Unable to normalize Terraform state CloudFormation template body: %s", err)
-		return false
-	}
-
-	normalizedNew, err := NormalizeJSONOrYAMLString(new)
-
-	if err != nil {
-		log.Printf("[WARN] Unable to normalize Terraform configuration CloudFormation template body: %s", err)
-		return false
-	}
-
-	return normalizedOld == normalizedNew
-}
-
 // DiffStringMaps returns the set of keys and values that must be created, the set of keys
 // and values that must be destroyed, and the set of keys and values that are unchanged.
 func DiffStringMaps(oldMap, newMap map[string]interface{}) (map[string]*string, map[string]*string, map[string]*string) {
diff --git a/internal/verify/diff_test.go b/internal/verify/diff_test.go
index 466d0c201ee..0ae32f231dc 100644
--- a/internal/verify/diff_test.go
+++ b/internal/verify/diff_test.go
@@ -3,34 +3,8 @@ package verify
 import (
 	"reflect"
 	"testing"
-
-	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
 
-func TestSuppressEquivalentJSONDiffsWhitespaceAndNoWhitespace(t *testing.T) {
-	d := new(schema.ResourceData)
-
-	noWhitespace := `{"test":"test"}`
-	whitespace := `
-{
-  "test": "test"
-}`
-
-	if !SuppressEquivalentJSONDiffs("", noWhitespace, whitespace, d) {
-		t.Errorf("Expected SuppressEquivalentJSONDiffs to return true for %s == %s", noWhitespace, whitespace)
-	}
-
-	noWhitespaceDiff := `{"test":"test"}`
-	whitespaceDiff := `
-{
-  "test": "tested"
-}`
-
-	if SuppressEquivalentJSONDiffs("", noWhitespaceDiff, whitespaceDiff, d) {
-		t.Errorf("Expected SuppressEquivalentJSONDiffs to return false for %s == %s", noWhitespaceDiff, whitespaceDiff)
-	}
-}
-
 func TestSuppressEquivalentTypeStringBoolean(t *testing.T) {
 	testCases := []struct {
 		old        string
@@ -72,200 +46,6 @@ func TestSuppressEquivalentTypeStringBoolean(t *testing.T) {
 	}
 }
 
-func TestSuppressEquivalentJSONOrYAMLDiffs(t *testing.T) {
-	testCases := []struct {
-		description string
-		equivalent  bool
-		old         string
-		new         string
-	}{
-		{
-			description: `JSON no change`,
-			equivalent:  true,
-			old: `
-{
-   "Resources": {
-      "TestVpc": {
-         "Type": "AWS::EC2::VPC",
-         "Properties": {
-            "CidrBlock": "10.0.0.0/16"
-         }
-      }
-   },
-   "Outputs": {
-      "TestVpcID": {
-         "Value": { "Ref" : "TestVpc" }
-      }
-   }
-}
-`,
-			new: `
-{
-   "Resources": {
-      "TestVpc": {
-         "Type": "AWS::EC2::VPC",
-         "Properties": {
-            "CidrBlock": "10.0.0.0/16"
-         }
-      }
-   },
-   "Outputs": {
-      "TestVpcID": {
-         "Value": { "Ref" : "TestVpc" }
-      }
-   }
-}
-`,
-		},
-		{
-			description: `JSON whitespace`,
-			equivalent:  true,
-			old:         `{"Resources":{"TestVpc":{"Type":"AWS::EC2::VPC","Properties":{"CidrBlock":"10.0.0.0/16"}}},"Outputs":{"TestVpcID":{"Value":{"Ref":"TestVpc"}}}}`,
-			new: `
-{
-   "Resources": {
-      "TestVpc": {
-         "Type": "AWS::EC2::VPC",
-         "Properties": {
-            "CidrBlock": "10.0.0.0/16"
-         }
-      }
-   },
-   "Outputs": {
-      "TestVpcID": {
-         "Value": { "Ref" : "TestVpc" }
-      }
-   }
-}
-`,
-		},
-		{
-			description: `JSON change`,
-			equivalent:  false,
-			old: `
-{
-   "Resources": {
-      "TestVpc": {
-         "Type": "AWS::EC2::VPC",
-         "Properties": {
-            "CidrBlock": "10.0.0.0/16"
-         }
-      }
-   },
-   "Outputs": {
-      "TestVpcID": {
-         "Value": { "Ref" : "TestVpc" }
-      }
-   }
-}
-`,
-			new: `
-{
-   "Resources": {
-      "TestVpc": {
-         "Type": "AWS::EC2::VPC",
-         "Properties": {
-            "CidrBlock": "172.16.0.0/16"
-         }
-      }
-   },
-   "Outputs": {
-      "TestVpcID": {
-         "Value": { "Ref" : "TestVpc" }
-      }
-   }
-}
-`,
-		},
-		{
-			description: `YAML no change`,
-			equivalent:  true,
-			old: `
-Resources:
-  TestVpc:
-    Type: AWS::EC2::VPC
-    Properties:
-      CidrBlock: 10.0.0.0/16
-Outputs:
-  TestVpcID:
-    Value: !Ref TestVpc
-`,
-			new: `
-Resources:
-  TestVpc:
-    Type: AWS::EC2::VPC
-    Properties:
-      CidrBlock: 10.0.0.0/16
-Outputs:
-  TestVpcID:
-    Value: !Ref TestVpc
-`,
-		},
-		{
-			description: `YAML whitespace`,
-			equivalent:  false,
-			old: `
-Resources:
-  TestVpc:
-    Type: AWS::EC2::VPC
-    Properties:
-      CidrBlock: 10.0.0.0/16
-
-Outputs:
-  TestVpcID:
-    Value: !Ref TestVpc
-
-`,
-			new: `
-Resources:
-  TestVpc:
-    Type: AWS::EC2::VPC
-    Properties:
-      CidrBlock: 10.0.0.0/16
-Outputs:
-  TestVpcID:
-    Value: !Ref TestVpc
-`,
-		},
-		{
-			description: `YAML change`,
-			equivalent:  false,
-			old: `
-Resources:
-  TestVpc:
-    Type: AWS::EC2::VPC
-    Properties:
-      CidrBlock: 172.16.0.0/16
-Outputs:
-  TestVpcID:
-    Value: !Ref TestVpc
-`,
-			new: `
-Resources:
-  TestVpc:
-    Type: AWS::EC2::VPC
-    Properties:
-      CidrBlock: 10.0.0.0/16
-Outputs:
-  TestVpcID:
-    Value: !Ref TestVpc
-`,
-		},
-	}
-
-	for _, tc := range testCases {
-		value := SuppressEquivalentJSONOrYAMLDiffs("test_property", tc.old, tc.new, nil)
-
-		if tc.equivalent && !value {
-			t.Fatalf("expected test case (%s) to be equivalent", tc.description)
-		}
-
-		if !tc.equivalent && value {
-			t.Fatalf("expected test case (%s) to not be equivalent", tc.description)
-		}
-	}
-}
-
 func TestDiffStringMaps(t *testing.T) {
 	cases := []struct {
 		Old, New                  map[string]interface{}
diff --git a/internal/verify/json.go b/internal/verify/json.go
index 9980b39fda9..9dda71dafe0 100644
--- a/internal/verify/json.go
+++ b/internal/verify/json.go
@@ -1,12 +1,67 @@
 package verify
 
 import (
+	"bytes"
 	"encoding/json"
+	"log"
 	"reflect"
 	"regexp"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/structure"
+	awspolicy "github.com/jen20/awspolicyequivalence"
 )
 
-func looksLikeJsonString(s interface{}) bool {
+func SuppressEquivalentPolicyDiffs(k, old, new string, d *schema.ResourceData) bool {
+	equivalent, err := awspolicy.PoliciesAreEquivalent(old, new)
+	if err != nil {
+		return false
+	}
+
+	return equivalent
+}
+
+func SuppressEquivalentJSONDiffs(k, old, new string, d *schema.ResourceData) bool {
+	ob := bytes.NewBufferString("")
+	if err := json.Compact(ob, []byte(old)); err != nil {
+		return false
+	}
+
+	nb := bytes.NewBufferString("")
+	if err := json.Compact(nb, []byte(new)); err != nil {
+		return false
+	}
+
+	return JSONBytesEqual(ob.Bytes(), nb.Bytes())
+}
+
+func SuppressEquivalentJSONOrYAMLDiffs(k, old, new string, d *schema.ResourceData) bool {
+	normalizedOld, err := NormalizeJSONOrYAMLString(old)
+
+	if err != nil {
+		log.Printf("[WARN] Unable to normalize Terraform state CloudFormation template body: %s", err)
+		return false
+	}
+
+	normalizedNew, err := NormalizeJSONOrYAMLString(new)
+
+	if err != nil {
+		log.Printf("[WARN] Unable to normalize Terraform configuration CloudFormation template body: %s", err)
+		return false
+	}
+
+	return normalizedOld == normalizedNew
+}
+
+func NormalizeJSONOrYAMLString(templateString interface{}) (string, error) {
+	if looksLikeJSONString(templateString) {
+		return structure.NormalizeJsonString(templateString.(string))
+	}
+
+	return checkYAMLString(templateString)
+}
+
+func looksLikeJSONString(s interface{}) bool {
 	return regexp.MustCompile(`^\s*{`).MatchString(s.(string))
 }
 
@@ -23,3 +78,23 @@ func JSONBytesEqual(b1, b2 []byte) bool {
 
 	return reflect.DeepEqual(o1, o2)
 }
+
+func SecondJSONUnlessEquivalent(old, new string) (string, error) {
+	// valid empty JSON is "{}" not "" so handle special case to avoid
+	// Error unmarshaling policy: unexpected end of JSON input
+	if old == "" || new == "" {
+		return new, nil
+	}
+
+	equivalent, err := awspolicy.PoliciesAreEquivalent(old, new)
+
+	if err != nil {
+		return "", err
+	}
+
+	if equivalent {
+		return old, nil
+	}
+
+	return new, nil
+}
diff --git a/internal/verify/json_test.go b/internal/verify/json_test.go
index 5f11bbbf209..a8f5c3851c3 100644
--- a/internal/verify/json_test.go
+++ b/internal/verify/json_test.go
@@ -2,16 +2,18 @@ package verify
 
 import (
 	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
 
 func TestLooksLikeJsonString(t *testing.T) {
 	looksLikeJson := ` {"abc":"1"} `
 	doesNotLookLikeJson := `abc: 1`
 
-	if !looksLikeJsonString(looksLikeJson) {
+	if !looksLikeJSONString(looksLikeJson) {
 		t.Errorf("Expected looksLikeJson to return true for %s", looksLikeJson)
 	}
-	if looksLikeJsonString(doesNotLookLikeJson) {
+	if looksLikeJSONString(doesNotLookLikeJson) {
 		t.Errorf("Expected looksLikeJson to return false for %s", doesNotLookLikeJson)
 	}
 }
@@ -53,3 +55,547 @@ func TestJsonBytesEqualWhitespaceAndNoWhitespace(t *testing.T) {
 		t.Errorf("Expected JSONBytesEqual to return false for %s == %s", noWhitespaceDiff, whitespaceDiff)
 	}
 }
+
+func TestSecondJSONUnlessEquivalent(t *testing.T) {
+	testCases := []struct {
+		name      string
+		oldPolicy string
+		newPolicy string
+		want      string
+	}{
+		{
+			name: "new in random order",
+			oldPolicy: `{
+  "Version": "2012-10-17",
+  "Id": "kms-tf-1",
+  "Statement": [
+    {
+      "Sid": "Enable IAM User Permissions",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": [
+          "arn:aws:iam::012345678901:role/felixjaehn",
+          "arn:aws:iam::012345678901:role/garethemery",
+          "arn:aws:iam::012345678901:role/kidnap",
+          "arn:aws:iam::012345678901:role/paulvandyk",
+          "arn:aws:iam::012345678901:role/tinlicker"
+        ]
+      },
+      "Action": [
+        "kms:CreateKey",
+        "kms:DescribeKey",
+        "kms:ScheduleKeyDeletion",
+        "kms:Describe*",
+        "kms:Get*",
+        "kms:List*",
+        "kms:TagResource",
+        "kms:UntagResource"
+      ],
+      "Resource": "*"
+    }
+  ]
+}`,
+			newPolicy: `{
+  "Version": "2012-10-17",
+  "Id": "kms-tf-1",
+  "Statement": [
+    {
+      "Sid": "Enable IAM User Permissions",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": [
+          "arn:aws:iam::012345678901:role/tinlicker",
+          "arn:aws:iam::012345678901:role/paulvandyk",
+          "arn:aws:iam::012345678901:role/kidnap",
+          "arn:aws:iam::012345678901:role/garethemery",
+          "arn:aws:iam::012345678901:role/felixjaehn"
+        ]
+      },
+      "Action": [
+        "kms:DescribeKey",
+        "kms:List*",
+        "kms:TagResource",
+        "kms:UntagResource",
+        "kms:CreateKey",
+        "kms:Get*",
+        "kms:ScheduleKeyDeletion",
+        "kms:Describe*"
+      ],
+      "Resource": "*"
+    }
+  ]
+}`,
+			want: `{
+  "Version": "2012-10-17",
+  "Id": "kms-tf-1",
+  "Statement": [
+    {
+      "Sid": "Enable IAM User Permissions",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": [
+          "arn:aws:iam::012345678901:role/felixjaehn",
+          "arn:aws:iam::012345678901:role/garethemery",
+          "arn:aws:iam::012345678901:role/kidnap",
+          "arn:aws:iam::012345678901:role/paulvandyk",
+          "arn:aws:iam::012345678901:role/tinlicker"
+        ]
+      },
+      "Action": [
+        "kms:CreateKey",
+        "kms:DescribeKey",
+        "kms:ScheduleKeyDeletion",
+        "kms:Describe*",
+        "kms:Get*",
+        "kms:List*",
+        "kms:TagResource",
+        "kms:UntagResource"
+      ],
+      "Resource": "*"
+    }
+  ]
+}`,
+		},
+		{
+			name: "actual change",
+			oldPolicy: `{
+  "Version": "2012-10-17",
+  "Id": "kms-tf-1",
+  "Statement": [
+    {
+      "Sid": "Enable IAM User Permissions",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": [
+          "arn:aws:iam::012345678901:role/felixjaehn",
+          "arn:aws:iam::012345678901:role/garethemery",
+          "arn:aws:iam::012345678901:role/kidnap",
+          "arn:aws:iam::012345678901:role/paulvandyk",
+          "arn:aws:iam::012345678901:role/tinlicker"
+        ]
+      },
+      "Action": [
+        "kms:CreateKey",
+        "kms:DescribeKey",
+        "kms:ScheduleKeyDeletion",
+        "kms:Describe*",
+        "kms:Get*",
+        "kms:List*",
+        "kms:TagResource",
+        "kms:UntagResource"
+      ],
+      "Resource": "*"
+    }
+  ]
+}`,
+			newPolicy: `{
+  "Version": "2012-10-17",
+  "Id": "kms-tf-1",
+  "Statement": [
+    {
+      "Sid": "Enable IAM User Permissions",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": [
+          "arn:aws:iam::012345678901:role/tinlicker",
+          "arn:aws:iam::012345678901:role/paulvandyk",
+          "arn:aws:iam::012345678901:role/garethemery",
+          "arn:aws:iam::012345678901:role/felixjaehn"
+        ]
+      },
+      "Action": [
+        "kms:CreateKey",
+        "kms:DescribeKey",
+        "kms:Describe*",
+        "kms:List*",
+        "kms:ScheduleKeyDeletion",
+        "kms:Get*",
+        "kms:TagResource",
+        "kms:UntagResource"
+      ],
+      "Resource": "*"
+    }
+  ]
+}`,
+			want: `{
+  "Version": "2012-10-17",
+  "Id": "kms-tf-1",
+  "Statement": [
+    {
+      "Sid": "Enable IAM User Permissions",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": [
+          "arn:aws:iam::012345678901:role/tinlicker",
+          "arn:aws:iam::012345678901:role/paulvandyk",
+          "arn:aws:iam::012345678901:role/garethemery",
+          "arn:aws:iam::012345678901:role/felixjaehn"
+        ]
+      },
+      "Action": [
+        "kms:CreateKey",
+        "kms:DescribeKey",
+        "kms:Describe*",
+        "kms:List*",
+        "kms:ScheduleKeyDeletion",
+        "kms:Get*",
+        "kms:TagResource",
+        "kms:UntagResource"
+      ],
+      "Resource": "*"
+    }
+  ]
+}`,
+		},
+		{
+			name:      "empty old",
+			oldPolicy: "",
+			newPolicy: `{
+  "Version": "2012-10-17",
+  "Id": "kms-tf-1",
+  "Statement": [
+    {
+      "Sid": "Enable IAM User Permissions",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": [
+          "arn:aws:iam::012345678901:role/tinlicker",
+          "arn:aws:iam::012345678901:role/paulvandyk",
+          "arn:aws:iam::012345678901:role/garethemery",
+          "arn:aws:iam::012345678901:role/felixjaehn"
+        ]
+      },
+      "Action": [
+        "kms:CreateKey",
+        "kms:DescribeKey",
+        "kms:ScheduleKeyDeletion",
+        "kms:Describe*",
+        "kms:Get*",
+        "kms:List*",
+        "kms:TagResource",
+        "kms:UntagResource"
+      ],
+      "Resource": "*"
+    }
+  ]
+}`,
+			want: `{
+  "Version": "2012-10-17",
+  "Id": "kms-tf-1",
+  "Statement": [
+    {
+      "Sid": "Enable IAM User Permissions",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": [
+          "arn:aws:iam::012345678901:role/tinlicker",
+          "arn:aws:iam::012345678901:role/paulvandyk",
+          "arn:aws:iam::012345678901:role/garethemery",
+          "arn:aws:iam::012345678901:role/felixjaehn"
+        ]
+      },
+      "Action": [
+        "kms:CreateKey",
+        "kms:DescribeKey",
+        "kms:ScheduleKeyDeletion",
+        "kms:Describe*",
+        "kms:Get*",
+        "kms:List*",
+        "kms:TagResource",
+        "kms:UntagResource"
+      ],
+      "Resource": "*"
+    }
+  ]
+}`,
+		},
+		{
+			name: "empty new",
+			oldPolicy: `{
+  "Version": "2012-10-17",
+  "Id": "kms-tf-1",
+  "Statement": [
+    {
+      "Sid": "Enable IAM User Permissions",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": [
+          "arn:aws:iam::012345678901:role/tinlicker",
+          "arn:aws:iam::012345678901:role/paulvandyk",
+          "arn:aws:iam::012345678901:role/garethemery",
+          "arn:aws:iam::012345678901:role/felixjaehn"
+        ]
+      },
+      "Action": [
+        "kms:CreateKey",
+        "kms:DescribeKey",
+        "kms:ScheduleKeyDeletion",
+        "kms:Describe*",
+        "kms:Get*",
+        "kms:List*",
+        "kms:TagResource",
+        "kms:UntagResource"
+      ],
+      "Resource": "*"
+    }
+  ]
+}`,
+			newPolicy: "",
+			want:      "",
+		},
+	}
+
+	for _, v := range testCases {
+		got, err := SecondJSONUnlessEquivalent(v.oldPolicy, v.newPolicy)
+
+		if err != nil {
+			t.Fatalf("unexpected error with test case %s: %s", v.name, err)
+		}
+
+		if got != v.want {
+			t.Fatalf("for test case %s, got %s, wanted %s", v.name, got, v.want)
+		}
+	}
+}
+
+func TestNormalizeJSONOrYAMLString(t *testing.T) {
+	var err error
+	var actual string
+
+	validNormalizedJson := `{"abc":"1"}`
+	actual, err = NormalizeJSONOrYAMLString(validNormalizedJson)
+	if err != nil {
+		t.Fatalf("Expected not to throw an error while parsing template, but got: %s", err)
+	}
+	if actual != validNormalizedJson {
+		t.Fatalf("Got:\n\n%s\n\nExpected:\n\n%s\n", actual, validNormalizedJson)
+	}
+
+	validNormalizedYaml := `abc: 1
+`
+	actual, err = NormalizeJSONOrYAMLString(validNormalizedYaml)
+	if err != nil {
+		t.Fatalf("Expected not to throw an error while parsing template, but got: %s", err)
+	}
+	if actual != validNormalizedYaml {
+		t.Fatalf("Got:\n\n%s\n\nExpected:\n\n%s\n", actual, validNormalizedYaml)
+	}
+}
+
+func TestSuppressEquivalentJSONDiffsWhitespaceAndNoWhitespace(t *testing.T) {
+	d := new(schema.ResourceData)
+
+	noWhitespace := `{"test":"test"}`
+	whitespace := `
+{
+  "test": "test"
+}`
+
+	if !SuppressEquivalentJSONDiffs("", noWhitespace, whitespace, d) {
+		t.Errorf("Expected SuppressEquivalentJSONDiffs to return true for %s == %s", noWhitespace, whitespace)
+	}
+
+	noWhitespaceDiff := `{"test":"test"}`
+	whitespaceDiff := `
+{
+  "test": "tested"
+}`
+
+	if SuppressEquivalentJSONDiffs("", noWhitespaceDiff, whitespaceDiff, d) {
+		t.Errorf("Expected SuppressEquivalentJSONDiffs to return false for %s == %s", noWhitespaceDiff, whitespaceDiff)
+	}
+}
+
+func TestSuppressEquivalentJSONOrYAMLDiffs(t *testing.T) {
+	testCases := []struct {
+		description string
+		equivalent  bool
+		old         string
+		new         string
+	}{
+		{
+			description: `JSON no change`,
+			equivalent:  true,
+			old: `
+{
+   "Resources": {
+      "TestVpc": {
+         "Type": "AWS::EC2::VPC",
+         "Properties": {
+            "CidrBlock": "10.0.0.0/16"
+         }
+      }
+   },
+   "Outputs": {
+      "TestVpcID": {
+         "Value": { "Ref" : "TestVpc" }
+      }
+   }
+}
+`,
+			new: `
+{
+   "Resources": {
+      "TestVpc": {
+         "Type": "AWS::EC2::VPC",
+         "Properties": {
+            "CidrBlock": "10.0.0.0/16"
+         }
+      }
+   },
+   "Outputs": {
+      "TestVpcID": {
+         "Value": { "Ref" : "TestVpc" }
+      }
+   }
+}
+`,
+		},
+		{
+			description: `JSON whitespace`,
+			equivalent:  true,
+			old:         `{"Resources":{"TestVpc":{"Type":"AWS::EC2::VPC","Properties":{"CidrBlock":"10.0.0.0/16"}}},"Outputs":{"TestVpcID":{"Value":{"Ref":"TestVpc"}}}}`,
+			new: `
+{
+   "Resources": {
+      "TestVpc": {
+         "Type": "AWS::EC2::VPC",
+         "Properties": {
+            "CidrBlock": "10.0.0.0/16"
+         }
+      }
+   },
+   "Outputs": {
+      "TestVpcID": {
+         "Value": { "Ref" : "TestVpc" }
+      }
+   }
+}
+`,
+		},
+		{
+			description: `JSON change`,
+			equivalent:  false,
+			old: `
+{
+   "Resources": {
+      "TestVpc": {
+         "Type": "AWS::EC2::VPC",
+         "Properties": {
+            "CidrBlock": "10.0.0.0/16"
+         }
+      }
+   },
+   "Outputs": {
+      "TestVpcID": {
+         "Value": { "Ref" : "TestVpc" }
+      }
+   }
+}
+`,
+			new: `
+{
+   "Resources": {
+      "TestVpc": {
+         "Type": "AWS::EC2::VPC",
+         "Properties": {
+            "CidrBlock": "172.16.0.0/16"
+         }
+      }
+   },
+   "Outputs": {
+      "TestVpcID": {
+         "Value": { "Ref" : "TestVpc" }
+      }
+   }
+}
+`,
+		},
+		{
+			description: `YAML no change`,
+			equivalent:  true,
+			old: `
+Resources:
+  TestVpc:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock: 10.0.0.0/16
+Outputs:
+  TestVpcID:
+    Value: !Ref TestVpc
+`,
+			new: `
+Resources:
+  TestVpc:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock: 10.0.0.0/16
+Outputs:
+  TestVpcID:
+    Value: !Ref TestVpc
+`,
+		},
+		{
+			description: `YAML whitespace`,
+			equivalent:  false,
+			old: `
+Resources:
+  TestVpc:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock: 10.0.0.0/16
+
+Outputs:
+  TestVpcID:
+    Value: !Ref TestVpc
+
+`,
+			new: `
+Resources:
+  TestVpc:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock: 10.0.0.0/16
+Outputs:
+  TestVpcID:
+    Value: !Ref TestVpc
+`,
+		},
+		{
+			description: `YAML change`,
+			equivalent:  false,
+			old: `
+Resources:
+  TestVpc:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock: 172.16.0.0/16
+Outputs:
+  TestVpcID:
+    Value: !Ref TestVpc
+`,
+			new: `
+Resources:
+  TestVpc:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock: 10.0.0.0/16
+Outputs:
+  TestVpcID:
+    Value: !Ref TestVpc
+`,
+		},
+	}
+
+	for _, tc := range testCases {
+		value := SuppressEquivalentJSONOrYAMLDiffs("test_property", tc.old, tc.new, nil)
+
+		if tc.equivalent && !value {
+			t.Fatalf("expected test case (%s) to be equivalent", tc.description)
+		}
+
+		if !tc.equivalent && value {
+			t.Fatalf("expected test case (%s) to not be equivalent", tc.description)
+		}
+	}
+}
diff --git a/internal/verify/validate.go b/internal/verify/validate.go
index 8d9d01b16b9..2b3ecb552b4 100644
--- a/internal/verify/validate.go
+++ b/internal/verify/validate.go
@@ -230,7 +230,7 @@ func ValidOnceAWeekWindowFormat(v interface{}, k string) (ws []string, errors []
 }
 
 func ValidStringIsJSONOrYAML(v interface{}, k string) (ws []string, errors []error) {
-	if looksLikeJsonString(v) {
+	if looksLikeJSONString(v) {
 		if _, err := structure.NormalizeJsonString(v); err != nil {
 			errors = append(errors, fmt.Errorf("%q contains an invalid JSON: %s", k, err))
 		}
diff --git a/internal/verify/verify.go b/internal/verify/verify.go
index c45f6155dac..3e10b39f4b3 100644
--- a/internal/verify/verify.go
+++ b/internal/verify/verify.go
@@ -1,7 +1,6 @@
 package verify
 
 import (
-	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/structure"
 	"gopkg.in/yaml.v2"
 )
 
@@ -17,14 +16,6 @@ func SliceContainsString(slice []interface{}, s string) (int, bool) {
 	return -1, false
 }
 
-func NormalizeJSONOrYAMLString(templateString interface{}) (string, error) {
-	if looksLikeJsonString(templateString) {
-		return structure.NormalizeJsonString(templateString.(string))
-	}
-
-	return checkYAMLString(templateString)
-}
-
 func PointersMapToStringList(pointers map[string]*string) map[string]interface{} {
 	list := make(map[string]interface{}, len(pointers))
 	for i, v := range pointers {
diff --git a/internal/verify/verify_test.go b/internal/verify/verify_test.go
index 9786ea2352b..7b465209564 100644
--- a/internal/verify/verify_test.go
+++ b/internal/verify/verify_test.go
@@ -4,30 +4,6 @@ import (
 	"testing"
 )
 
-func TestNormalizeJSONOrYAMLString(t *testing.T) {
-	var err error
-	var actual string
-
-	validNormalizedJson := `{"abc":"1"}`
-	actual, err = NormalizeJSONOrYAMLString(validNormalizedJson)
-	if err != nil {
-		t.Fatalf("Expected not to throw an error while parsing template, but got: %s", err)
-	}
-	if actual != validNormalizedJson {
-		t.Fatalf("Got:\n\n%s\n\nExpected:\n\n%s\n", actual, validNormalizedJson)
-	}
-
-	validNormalizedYaml := `abc: 1
-`
-	actual, err = NormalizeJSONOrYAMLString(validNormalizedYaml)
-	if err != nil {
-		t.Fatalf("Expected not to throw an error while parsing template, but got: %s", err)
-	}
-	if actual != validNormalizedYaml {
-		t.Fatalf("Got:\n\n%s\n\nExpected:\n\n%s\n", actual, validNormalizedYaml)
-	}
-}
-
 func TestCheckYAMLString(t *testing.T) {
 	var err error
 	var actual string