diff --git a/tidb-cloud/config-s3-and-gcs-access.md b/tidb-cloud/config-s3-and-gcs-access.md
index 0511669d4a62a..89f5bcedf49a3 100644
--- a/tidb-cloud/config-s3-and-gcs-access.md
+++ b/tidb-cloud/config-s3-and-gcs-access.md
@@ -83,6 +83,21 @@ Configure the bucket access for TiDB Cloud and get the Role ARN as follows:
 
             For example, `"Resource": "arn:aws:s3:::tidb-cloud-source-data"`.
 
+        - If you have enabled AWS Key Management Service key (SSE-KMS) with customer-managed key encryption, make sure the following configuration is included in the policy. `"arn:aws:kms:ap-northeast-1:105880447796:key/c3046e91-fdfc-4f3a-acff-00597dd3801f"` is a sample KMS key of the bucket.
+
+            ```
+            {
+                "Sid": "AllowKMSkey",
+                "Effect": "Allow",
+                "Action": [
+                    "kms:Decrypt"
+                ],
+                "Resource": "arn:aws:kms:ap-northeast-1:105880447796:key/c3046e91-fdfc-4f3a-acff-00597dd3801f"
+            }
+            ```
+
+            If the objects in your bucket have been copied from another encrypted bucket, the KMS key value needs to include the keys of both buckets. For example, `"Resource": ["arn:aws:kms:ap-northeast-1:105880447796:key/c3046e91-fdfc-4f3a-acff-00597dd3801f","arn:aws:kms:ap-northeast-1:495580073302:key/0d7926a7-6ecc-4bf7-a9c1-a38f0faec0cd"]`.
+
     6. Click **Next: Tags**, add a tag of the policy (optional), and then click **Next:Review**.
 
     7. Set a policy name, and then click **Create policy**.