To develop the answer provided by LeOn - Han Li, we have to use Customer Managed Key (CMK) if we must encrypt the SNS topic, even at today 23-Jan-2025, the default SNS encryption key still doesn't work for S3 notification.

The policy of the CMK must allow at least two AWS service principals: "sns.amazonaws.com" and "s3.amazonaws.com", some other service principals are mentioned in this blog

    {
      "Sid": "Allow_SNS_for_CMK",
      "Effect": "Allow",
      "Principal": {
        "Service": "sns.amazonaws.com"
      },
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow_S3_for_CMK",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey*"
      ],
      "Resource": "*"
    }

The reason is that the default SNS encryption keys are managed by AWS, customers can't change the permission.