Looking at the code I see only Encrypt and Decrypt are granted.

This seems not to be sufficient when trying to perform a putObject with S3 using the KMS key to encrypt the file at rest. This is explained here: https://aws.amazon.com/premiumsupport/knowledge-center/s3-troubleshoot-403/

Am I missing something?