IAM role for S3 encrypted upload only

Hi All,

I have an SFTP server that receives data files on a daily basis.
I would like to copy these files to S3 and encrypt them for perpetual storage.
My preference is that the IAM role granted to the SFTP server only has permissions to encrypt, not decrypt the files.
From the documentation, I should be able to achieve this by specifying a key on upload to S3 and ensuring the IAM role for the SFTP server has only the encrypt permission.

My IAM policies below:

Firstly, S3 allow all (Just for testing):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}

KMS Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "kms:Encrypt",
            "Resource": "arn:aws:kms:ap-southeast-2:<account-id>:key/<key-id> "
        }
    ]
}

When I try and copy a file to S3 using

aws s3 cp test.txt s3://<folderName>/test.txt --sse aws:kms --sse-kms-key-id <key-id>

I get an error message:

An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

If I manually go into the KMS policy and allow the IAM user permissions, then the IAM user can encrypt & decrypt the file which is not what I want.

Has anyone managed to achieve this?