diff --git a/modules/installation-aws-permissions.adoc b/modules/installation-aws-permissions.adoc
index b9eac8cd737e..c81b892c4e33 100644
--- a/modules/installation-aws-permissions.adoc
+++ b/modules/installation-aws-permissions.adoc
@@ -271,6 +271,11 @@ If you use an existing VPC, your account does not require these permissions to d
 * `kms:GenerateDataKeyWithoutPlainText`
 * `kms:ListGrants`
 * `kms:RevokeGrant`
+
+[NOTE]
+=====
+If you provide an Amazon Machine Image (AMI) that is encrypted with a customer-managed key, you must provide the `kms:ReEncrypt*` permissions in addition to these permissions.
+=====
 ====
 
 .Required permissions to delete a cluster with shared instance roles