diff --git a/modules/installation-aws-permissions.adoc b/modules/installation-aws-permissions.adoc
index 2551d2c51f78..2a8e4aaa80a7 100644
--- a/modules/installation-aws-permissions.adoc
+++ b/modules/installation-aws-permissions.adoc
@@ -270,6 +270,11 @@ If you use an existing VPC, your account does not require these permissions to d
 * `kms:GenerateDataKeyWithoutPlainText`
 * `kms:ListGrants`
 * `kms:RevokeGrant`
+
+[NOTE]
+=====
+If you provide an Amazon Machine Image (AMI) that is encrypted with a customer-managed key, you must provide the `kms:ReEncrypt*` permissions in addition to these permissions.
+=====
 ====
 
 .Required permissions to delete a cluster with shared instance roles