F5 Distributed Cloud App Infrastructure Protection (AIP) supports the export of batched files to an AWS S3 bucket with KMS Encryption-managed keys. There are no additional permissions needed. See the Amazon KMS Encryption documentation for configuration instructions.
Enable your custom or customer-managed KMS Encryption key before you configure the Distributed Cloud AIP data portability integration. If you add KMS Encryption to your S3 bucket after you integrate data portability, then you must re-enroll the KMS encrypted S3 bucket through the Distributed Cloud AIP API.
Distributed Cloud AIP also supports the export of batched files to an AWS S3 bucket with S3-managed encryption.