An Amazon EC2 instance is denied access to a newly created AWS KMS CMK used for decrypt actions. The environment has the following configuration: - The instance...

An Amazon EC2 instance is denied access to a newly created AWS KMS CMK used for decrypt actions. The environment has the following configuration:
- The instance is allowed the kms:Decrypt action in its IAM role for all resources
- The AWS KMS CMK status is set to enabled
- The instance can communicate with the KMS API using a configured VPC endpointWhat is causing the issue?