If you're sharing AMIs across accounts, and you're using a customer managed key, you need more than just the correct key policy. You also need to create a KMS grant for the accessing account. I lost several hours of my life because I missed this in the docs (Example 2, part 2):

https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html#policy-example-cmk-access