1. Proposed title of this feature request

Additional KMS permission requirement for encrypted AMIs

2. What is the nature and description of the request?

If encrypted AMI  is used in install-config.yaml during the cluster installation, it requires an extra KMS permission kms:ReEncrypt* for installation to succeed without any issues and to add the worker nodes to the cluster during installation. Currently, encrypting the AMI is not supported as there is no sensitive data stored in the AMIs.

3. Why does the customer need this? (List the business requirements here)
AMI/EBS encryption with custom key is required for security purposes.

4. List any affected packages or components.
CCO
machine-api