diff --git a/src/AmazonS3EncryptionClientBase.cs b/src/AmazonS3EncryptionClientBase.cs
index 391efcb..d78c9ba 100644
--- a/src/AmazonS3EncryptionClientBase.cs
+++ b/src/AmazonS3EncryptionClientBase.cs
@@ -112,8 +112,7 @@ internal IAmazonKeyManagementService KMSClient
                         {
                             if (this.S3CryptoConfig.KmsConfig != null)
                             {
-                                kmsClient = new AmazonKeyManagementServiceClient(this.Config.DefaultAWSCredentials, 
-                                    this.S3CryptoConfig.KmsConfig);
+                                kmsClient = new AmazonKeyManagementServiceClient(ExplicitAWSCredentials ?? Config.DefaultAWSCredentials, S3CryptoConfig.KmsConfig);
                             }
                             else
                             {
@@ -129,7 +128,7 @@ internal IAmazonKeyManagementService KMSClient
                                     kmsConfig.SetWebProxy(proxySettings);
                                 }
                                 
-                                kmsClient = new AmazonKeyManagementServiceClient(this.Config.DefaultAWSCredentials, kmsConfig);
+                                kmsClient = new AmazonKeyManagementServiceClient(ExplicitAWSCredentials ?? Config.DefaultAWSCredentials, kmsConfig);
                             }
                         }
                     }
@@ -146,7 +145,7 @@ internal AmazonS3Client S3ClientForInstructionFile
 	        {
 	            if (s3ClientForInstructionFile == null)
 	            {
-                    s3ClientForInstructionFile = new AmazonS3Client(this.Config.DefaultAWSCredentials, S3CryptoConfig);
+                    s3ClientForInstructionFile = new AmazonS3Client(ExplicitAWSCredentials ?? Config.DefaultAWSCredentials, S3CryptoConfig);
                 }
 	            return s3ClientForInstructionFile;
 	        }
diff --git a/test/UnitTests/AmazonS3EncryptionClientTests.cs b/test/UnitTests/AmazonS3EncryptionClientTests.cs
index 5095475..33fc553 100644
--- a/test/UnitTests/AmazonS3EncryptionClientTests.cs
+++ b/test/UnitTests/AmazonS3EncryptionClientTests.cs
@@ -3,6 +3,7 @@
 using Amazon.Extensions.S3.Encryption.Primitives;
 using Amazon.KeyManagementService;
 using Amazon.Runtime;
+using Amazon.S3;
 using Xunit;
 
 namespace Amazon.Extensions.S3.Encryption.UnitTests
@@ -82,9 +83,16 @@ public void S3EncryptionClient_AllWrappedClientsInheritBaseConfiguration()
             //= type=test
             //# If the S3EC accepts SDK client configuration, the configuration MUST be applied to all wrapped SDK clients including the KMS client.
             Assert.Equal(config.RegionEndpoint, client.S3ClientForInstructionFile.Config.RegionEndpoint);
-            Assert.Equal(credentials, client.S3ClientForInstructionFile.Config.DefaultAWSCredentials);
             Assert.Equal(config.RegionEndpoint, client.KMSClient.Config.RegionEndpoint);
-            Assert.Equal(credentials, client.Config.DefaultAWSCredentials);
+                        
+            // Use reflection to get the actual credentials from the s3 and kms clients since ExplicitAWSCredentials is not exposed
+            var s3ClientCredentials = typeof(AmazonS3Client).GetProperty("ExplicitAWSCredentials", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Instance)?
+                .GetValue(client.S3ClientForInstructionFile);
+            Assert.Equal(credentials, s3ClientCredentials);
+
+            var kmsClientCredentials = typeof(AmazonKeyManagementServiceClient).GetProperty("ExplicitAWSCredentials", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Instance)?
+                .GetValue(client.KMSClient);
+            Assert.Equal(credentials, kmsClientCredentials);
         }
     }
 }
\ No newline at end of file
diff --git a/test/UnitTests/AmazonS3EncryptionClientV2Tests.cs b/test/UnitTests/AmazonS3EncryptionClientV2Tests.cs
index bc06424..47cdb38 100644
--- a/test/UnitTests/AmazonS3EncryptionClientV2Tests.cs
+++ b/test/UnitTests/AmazonS3EncryptionClientV2Tests.cs
@@ -3,6 +3,7 @@
 using Amazon.Extensions.S3.Encryption.Primitives;
 using Amazon.KeyManagementService;
 using Amazon.Runtime;
+using Amazon.S3;
 using Xunit;
 
 namespace Amazon.Extensions.S3.Encryption.UnitTests
@@ -80,9 +81,16 @@ public void S3EncryptionClient_AllWrappedClientsInheritBaseConfiguration()
             //= type=test
             //# If the S3EC accepts SDK client configuration, the configuration MUST be applied to all wrapped SDK clients including the KMS client.
             Assert.Equal(config.RegionEndpoint, client.S3ClientForInstructionFile.Config.RegionEndpoint);
-            Assert.Equal(credentials, client.S3ClientForInstructionFile.Config.DefaultAWSCredentials);
             Assert.Equal(config.RegionEndpoint, client.KMSClient.Config.RegionEndpoint);
-            Assert.Equal(credentials, client.Config.DefaultAWSCredentials);
+                        
+            // Use reflection to get the actual credentials from the s3 and kms clients since ExplicitAWSCredentials is not exposed
+            var s3ClientCredentials = typeof(AmazonS3Client).GetProperty("ExplicitAWSCredentials", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Instance)?
+                .GetValue(client.S3ClientForInstructionFile);
+            Assert.Equal(credentials, s3ClientCredentials);
+
+            var kmsClientCredentials = typeof(AmazonKeyManagementServiceClient).GetProperty("ExplicitAWSCredentials", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Instance)?
+                .GetValue(client.KMSClient);
+            Assert.Equal(credentials, kmsClientCredentials);
         }
     }
 }
\ No newline at end of file