If the KMS key has a policy that does not allow the Lambda with the configured IAM policy to use the KMS key to decrypt, then the decryption in the Lambda will fail.

Should document what the key policy should allow.