diff --git a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.json b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.json
index 1a448254a0cfd..5e523b98a90ca 100644
--- a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.json
+++ b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.json
@@ -337,7 +337,8 @@
                     "s3:GetObject*",                    "s3:GetBucket*",
                     "s3:List*",                         "s3:Abort*",
                     "s3:DeleteObject*",                 "s3:PutObject*",
-                    "kms:Decrypt",                      "kms:DescribeKey"
+                    "kms:Decrypt",    "kms:DescribeKey",     "kms:Encrypt",
+                    "kms:ReEncrypt*", "kms:GenerateDataKey*"
                   ],
                   "Resource": "*",
                   "Effect": "Allow"