What must be configured for an EC2 instance profile to access a KMS key?

To enable an EC2 instance profile to access a KMS key, the key must have the appropriate key policy configured to allow decrypt access. This pertains specifically to granting permission for the IAM role associated with the EC2 instance to use the KMS key for decryption operations.

KMS (Key Management Service) operates based on explicitly defined permissions, so if an instance profile, which is linked to a specific IAM role, requires access to a KMS key for performing actions such as decrypting data, the permissions must be granted directly in the key policy.

Other options like security groups and network ACLs pertain more to controlling traffic and access at the network level and do not influence the permission management for cryptographic operations provided by KMS. A specific IAM role is necessary but merely having a role is not sufficient without the specific permission to decrypt on the KMS key, and a network ACL serves a different purpose entirely.