If you decide to use a customer managed key, or if your default Amazon EBS encryption key is a customer managed key in member account, you will need to add additional permissions to the AWSApplicationMigrationSharingRole_<MANAGEMENT_ACCOUNT_ID> to allow management account to use it.
By using Administrator access, add the following permissions to the AWSApplicationMigrationSharingRole_<MANAGEMENT_ACCOUNT_ID>:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow management account use CMK of member account",
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:DescribeKey",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": "$KEY_ARN"
}]
}