Unlike other operations, ReEncrypt
is authorized twice, once as ReEncryptFrom
on the source CMK and once as ReEncryptTo
on the destination CMK. We recommend that you include the "kms:ReEncrypt*"
permission in your key policies to permit reencryption from or to the CMK. This permission is automatically included in the key policy when you create a CMK through the console, but you must include it manually when you create a CMK programmatically or when you set a key policy with the PutKeyPolicy operation.