Cloudera Docs

IAM Role permissions for working with SSE-KMS

All IAM roles which need to read data encrypted with SSE-KMS must have the permissions to decrypt using the specific key the data was encrypted with: kms:Decrypt

All IAM roles which need to both read and write data need the encrypt and decrypt permissions (encrypt-only permission is not supported). 

kms:Decrypt
kms:GenerateDatakey
If a role does not have the permissions to read data, it will fail with an java.nio.AccessDeniedException.