OSDOCS-14602 Adding encrypted AMI permission note

Author: bscott-rh

modules/installation-aws-permissions.adoc

@@ -270,6 +270,11 @@ If you use an existing VPC, your account does not require these permissions to d
 * `kms:GenerateDataKeyWithoutPlainText`
 * `kms:ListGrants`
 * `kms:RevokeGrant`
+
+[NOTE]
+=====
+If you provide an Amazon Machine Image (AMI) that is encrypted with a customer-managed key, you must provide the `kms:ReEncrypt*` permissions in addition to these permissions.
+=====
 ====
 
 .Required permissions to delete a cluster with shared instance roles