I'm writing a serverless function on AWS Lambda. On certain instances I need to use kms:GenerateDataKey* permissions. What exactly is the purpose of this. I checked the AWS documentation but it is...