diff --git a/.evergreen/run-tests.sh b/.evergreen/run-tests.sh
index 9a0eb25e00..db20c9111e 100755
--- a/.evergreen/run-tests.sh
+++ b/.evergreen/run-tests.sh
@@ -147,6 +147,9 @@ if [ -n "$TEST_ENCRYPTION" ]; then
     python -c "import pymongocrypt; print('libmongocrypt version: '+pymongocrypt.libmongocrypt_version())"
     # PATH is updated by PREPARE_SHELL for access to mongocryptd.
 
+    # Need aws dependency for On-Demand KMS Credentials.
+    python -m pip install '.[aws]'
+
     # Get access to the AWS temporary credentials:
     # CSFLE_AWS_TEMP_ACCESS_KEY_ID, CSFLE_AWS_TEMP_SECRET_ACCESS_KEY, CSFLE_AWS_TEMP_SESSION_TOKEN
     . $DRIVERS_TOOLS/.evergreen/csfle/set-temp-creds.sh
diff --git a/README.rst b/README.rst
index 115085ac13..530829f957 100644
--- a/README.rst
+++ b/README.rst
@@ -130,7 +130,8 @@ Wire protocol compression with zstandard requires `zstandard
   $ python -m pip install "pymongo[zstd]"
 
 Client-Side Field Level Encryption requires `pymongocrypt
-<https://pypi.org/project/pymongocrypt/>`_::
+<https://pypi.org/project/pymongocrypt/>`_ and
+`pymongo-auth-aws <https://pypi.org/project/pymongo-auth-aws/>`_::
 
   $ python -m pip install "pymongo[encryption]"
 
diff --git a/doc/examples/encryption.rst b/doc/examples/encryption.rst
index d7341b3ef4..72205ad119 100644
--- a/doc/examples/encryption.rst
+++ b/doc/examples/encryption.rst
@@ -23,9 +23,10 @@ Dependencies
 
 To get started using client-side field level encryption in your project,
 you will need to install the
-`pymongocrypt <https://pypi.org/project/pymongocrypt/>`_ library
+`pymongocrypt <https://pypi.org/project/pymongocrypt/>`_ and
+`pymongo-auth-aws <https://pypi.org/project/pymongo-auth-aws/>`_ libraries
 as well as the driver itself. Install both the driver and a compatible
-version of pymongocrypt like this::
+version of the dependencies like this::
 
   $ python -m pip install 'pymongo[encryption]'
 
diff --git a/doc/installation.rst b/doc/installation.rst
index b02949335b..4810353f98 100644
--- a/doc/installation.rst
+++ b/doc/installation.rst
@@ -70,7 +70,8 @@ Wire protocol compression with zstandard requires `zstandard
   $ python3 -m pip install "pymongo[zstd]"
 
 :ref:`Client-Side Field Level Encryption` requires `pymongocrypt
-<https://pypi.org/project/pymongocrypt/>`_::
+<https://pypi.org/project/pymongocrypt/>`_ and
+`pymongo-auth-aws <https://pypi.org/project/pymongo-auth-aws/>`_::
 
   $ python3 -m pip install "pymongo[encryption]"
 
diff --git a/setup.py b/setup.py
index 52892e8507..6d1a711708 100755
--- a/setup.py
+++ b/setup.py
@@ -278,12 +278,14 @@ def build_extension(self, ext):
     # https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.set_default_verify_paths
     pyopenssl_reqs.append("certifi")
 
+aws_reqs = ["pymongo-auth-aws<2.0.0"]
+
 extras_require = {
-    "encryption": ["pymongocrypt>=1.3.0,<2.0.0"],
+    "encryption": ["pymongocrypt>=1.3.0,<2.0.0"] + aws_reqs,
     "ocsp": pyopenssl_reqs,
     "snappy": ["python-snappy"],
     "zstd": ["zstandard"],
-    "aws": ["pymongo-auth-aws<2.0.0"],
+    "aws": aws_reqs,
     "srv": [],  # PYTHON-3423 Removed in 4.3 but kept here to avoid pip warnings.
     "tls": [],  # PYTHON-2133 Removed in 4.0 but kept here to avoid pip warnings.
 }
diff --git a/test/test_encryption.py b/test/test_encryption.py
index 567d606893..6c54a90f7a 100644
--- a/test/test_encryption.py
+++ b/test/test_encryption.py
@@ -2304,6 +2304,37 @@ def run_test(self, src_provider, dst_provider):
         self.assertEqual(decrypt_result2, "test")
 
 
+# https://github.com/mongodb/specifications/blob/5cf3ed/source/client-side-encryption/tests/README.rst#on-demand-aws-credentials
+class TestOnDemandAWSCredentials(EncryptionIntegrationTest):
+    def setUp(self):
+        super(TestOnDemandAWSCredentials, self).setUp()
+        self.master_key = {
+            "region": "us-east-1",
+            "key": ("arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0"),
+        }
+
+    @unittest.skipIf(any(AWS_CREDS.values()), "AWS environment credentials are set")
+    def test_01_failure(self):
+        self.client_encryption = ClientEncryption(
+            kms_providers={"aws": {}},
+            key_vault_namespace="keyvault.datakeys",
+            key_vault_client=client_context.client,
+            codec_options=OPTS,
+        )
+        with self.assertRaises(EncryptionError):
+            self.client_encryption.create_data_key("aws", self.master_key)
+
+    @unittest.skipUnless(any(AWS_CREDS.values()), "AWS environment credentials are not set")
+    def test_02_success(self):
+        self.client_encryption = ClientEncryption(
+            kms_providers={"aws": {}},
+            key_vault_namespace="keyvault.datakeys",
+            key_vault_client=client_context.client,
+            codec_options=OPTS,
+        )
+        self.client_encryption.create_data_key("aws", self.master_key)
+
+
 class TestQueryableEncryptionDocsExample(EncryptionIntegrationTest):
     # Queryable Encryption is not supported on Standalone topology.
     @client_context.require_no_standalone