Merge pull request #100958 from bscott-rh/OSDOCS-14602

OSDOCS-16291 Adding encrypted AMI permission note

Author: bscott-rh

modules/installation-aws-permissions.adoc

@@ -271,6 +271,11 @@ If you use an existing VPC, your account does not require these permissions to d
 * `kms:GenerateDataKeyWithoutPlainText`
 * `kms:ListGrants`
 * `kms:RevokeGrant`
+
+[NOTE]
+=====
+If you provide an Amazon Machine Image (AMI) that is encrypted with a customer-managed key, you must provide the `kms:ReEncrypt*` permissions in addition to these permissions.
+=====
 ====
 
 .Required permissions to delete a cluster with shared instance roles