All IAM roles which need to read data encrypted with SSE-KMS must have the permissions to decrypt using the specific key the data was encrypted with:

kms:Decrypt

All IAM roles which need to both read and write data need the encrypt and decrypt permissions (that is: encrypt-only permission is not supported).

kms:Decrypt
kms:GenerateDatakey   

If a role does not have the permissions to read data, it will fail with an `java.nio.AccessDeniedException`. Note: renaming files requires the permission to decrypt the data, as it is decrypted and then reencrypted as it is copied. See AWS KMS API Permissions: Actions and Resources Reference for more details on KMS permissions.