If you want to use Amazon encryption with Cloud Volumes ONTAP, then you must set up the AWS Key Management Service (KMS).
Ensure that an active CMK exists in your account.
The CMK can be an AWS-managed CMK or a customer-managed CMK.
Add the IAM role associated with the Cloud Manager instance to the list of key users for a CMK.
This gives Cloud Manager permissions to use the CMK with Cloud Volumes ONTAP.