AWS : S3EncrytionClient unable to decrypt (amazon-s3-encryption-client-java ver. 3.11 ) the objects encrypted with ( AWS SDK v1 ) Java

Question

I am upgrading my application from aws sdk v1 to v2 , Earlier the objects were encrypted with AmazonS3EncryptionClientBuilder which was a part of v1 . I use aws kms key for encrypting the objects in the bucket. As i am doing client side encryption, my bucket is encrypted with aes256 ( default ), and the objects are in kms encrypted.

Now i am using S3EncryptionClient its now a separate dependency (https://github.com/aws/amazon-s3-encryption-client-java) to decrypt the objects, get request by the client are getting an error "access denied" .

Q 1. Is it valid to have bucket encrypted with aes256 and objects encrypted with kms ?

Q 2. How i can pass "StringNotLikeIfExists" policy restriction in the bucket using aws s3 encryption client ?

I am able to decrypt them using aws sdk v1, but not with S3EncryptionClient.

Old Code (used for encryption ): 

AmazonS3 s3Encryption = AmazonS3EncryptionClientBuilder.standard()
                        .withCredentials(new AWSStaticCredentialsProvider(creds)).withRegion(region)
                        .withCryptoConfiguration(new CryptoConfiguration(CryptoMode.EncryptionOnly).withAwsKmsRegion(r))
                        .withEncryptionMaterials(new KMSEncryptionMaterialsProvider(arnKey)).build();

New Code ( used for decryption ) : 

S3EncryptionClient.builder()
                .kmsKeyId(kmsKeyId)
                .wrappedClient(getS3Client(getCredentialProvider()))
                .enableLegacyWrappingAlgorithms(true)
                .enableDelayedAuthenticationMode(true)
                .build();

Bucket Policy : 

{
    "Version": "2012-10-17",
    "Id": "PutObjPolicy",
    "Statement": [
        {
            "Sid": "RequireKMSEncryption",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucketname/*",
            "Condition": {
                "StringNotLikeIfExists": {
                    "s3:x-amz-server-side-encryption-aws-kms-key-id": "kmskey"
                }
            }
        }
    ]
}

**Note : To satisfy the condition " StringNotLikeIfExists " we earlier had an option to pass metadata **

new ObjectMetadataProvider() {
@Override
public void provideObjectMetadata(File file1, ObjectMetadata metadata) {
logger.info("Applying encryption....");
metadata.setSSEAlgorithm(SSEAlgorithm.KMS.getAlgorithm());
metadata.setHeader("x-amz-server-side-encryption-aws-kms-key-id", kmsARN);
}};

Earlier there was an interface "AmazonS3" used for providing a coverage on all types of client so in TransferManger we can pass s3 encryption client which will do client side encryption and provide the transfer functionality with muti-parts and multi threading.

`