IAM Role permissions for working with SSE-KMS
All IAM roles which need to read data encrypted with SSE-KMS must have the
permissions to decrypt using the specific key the data was encrypted with:
kms:Decrypt
All IAM roles which need to both read and write data need the encrypt and decrypt permissions (encrypt-only permission is not supported).
kms:Decrypt kms:GenerateDatakey
If a role does not have the permissions to read data, it will fail with an
java.nio.AccessDeniedException
.