diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4bcb28bbfb..0a49c71fcd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -70,6 +70,7 @@ request adding CHANGELOG notes for breaking (!) changes and possibly other secti
 - Generic Table is no longer in beta and is generally-available.
 - Added Windows support for Python client.
 - (Before/After)UpdateTableEvent is emitted for all table updates within a transaction.
+- Added KMS options to Polaris CLI
 
 ### Deprecations
 
diff --git a/client/python/apache_polaris/cli/command/__init__.py b/client/python/apache_polaris/cli/command/__init__.py
index 9f098e84a6..9551c30b46 100644
--- a/client/python/apache_polaris/cli/command/__init__.py
+++ b/client/python/apache_polaris/cli/command/__init__.py
@@ -72,6 +72,8 @@ def options_get(key, f=lambda x: x):
                 sts_endpoint=options_get(Arguments.STS_ENDPOINT),
                 sts_unavailable=options_get(Arguments.STS_UNAVAILABLE),
                 path_style_access=options_get(Arguments.PATH_STYLE_ACCESS),
+                current_kms_key=options_get(Arguments.KMS_KEY_CURRENT),
+                allowed_kms_keys=options_get(Arguments.KMS_KEY_ALLOWED),
                 catalog_connection_type=options_get(Arguments.CATALOG_CONNECTION_TYPE),
                 catalog_authentication_type=options_get(Arguments.CATALOG_AUTHENTICATION_TYPE),
                 catalog_service_identity_type=options_get(Arguments.CATALOG_SERVICE_IDENTITY_TYPE),
diff --git a/client/python/apache_polaris/cli/command/catalogs.py b/client/python/apache_polaris/cli/command/catalogs.py
index e183d25ee9..466266ad5d 100644
--- a/client/python/apache_polaris/cli/command/catalogs.py
+++ b/client/python/apache_polaris/cli/command/catalogs.py
@@ -77,6 +77,8 @@ class CatalogsCommand(Command):
     sts_endpoint: str
     sts_unavailable: bool
     path_style_access: bool
+    current_kms_key: str
+    allowed_kms_keys: List[str]
     catalog_connection_type: str
     catalog_authentication_type: str
     catalog_service_identity_type: str
@@ -145,6 +147,8 @@ def validate(self):
                     f" {Argument.to_flag_name(Arguments.USER_ARN)},"
                     f" {Argument.to_flag_name(Arguments.ENDPOINT)},"
                     f" {Argument.to_flag_name(Arguments.ENDPOINT_INTERNAL)},"
+                    f" {Argument.to_flag_name(Arguments.KMS_KEY_CURRENT)},"
+                    f" {Argument.to_flag_name(Arguments.KMS_KEY_ALLOWED)},"
                     f" {Argument.to_flag_name(Arguments.STS_ENDPOINT)},"
                     f" {Argument.to_flag_name(Arguments.STS_UNAVAILABLE)}, and"
                     f" {Argument.to_flag_name(Arguments.PATH_STYLE_ACCESS)}"
@@ -179,7 +183,17 @@ def validate(self):
                 )
 
     def _has_aws_storage_info(self):
-        return self.role_arn or self.external_id or self.user_arn or self.region or self.endpoint or self.endpoint_internal or self.sts_endpoint or self.path_style_access
+        return (self.role_arn
+                or self.external_id
+                or self.user_arn
+                or self.region
+                or self.endpoint
+                or self.endpoint_internal
+                or self.sts_endpoint
+                or self.current_kms_key
+                or self.allowed_kms_keys
+                or self.path_style_access
+                )
 
     def _has_azure_storage_info(self):
         return self.tenant_id or self.multi_tenant_app_name or self.consent_url
@@ -202,6 +216,8 @@ def _build_storage_config_info(self):
                 sts_endpoint=self.sts_endpoint,
                 sts_unavailable=self.sts_unavailable,
                 path_style_access=self.path_style_access,
+                current_kms_key=self.current_kms_key,
+                allowed_kms_keys=self.allowed_kms_keys,
             )
         elif self.storage_type == StorageType.AZURE.value:
             config = AzureStorageConfigInfo(
diff --git a/client/python/apache_polaris/cli/constants.py b/client/python/apache_polaris/cli/constants.py
index 1e3e343152..afef623e53 100644
--- a/client/python/apache_polaris/cli/constants.py
+++ b/client/python/apache_polaris/cli/constants.py
@@ -179,6 +179,8 @@ class Arguments:
     ENDPOINT_INTERNAL = "endpoint_internal"
     STS_ENDPOINT = "sts_endpoint"
     STS_UNAVAILABLE = "no_sts"
+    KMS_KEY_CURRENT = "current_kms_key"
+    KMS_KEY_ALLOWED = "allowed_kms_key"
     PATH_STYLE_ACCESS = "path_style_access"
     CATALOG_CONNECTION_TYPE = "catalog_connection_type"
     CATALOG_AUTHENTICATION_TYPE = "catalog_authentication_type"
@@ -258,6 +260,12 @@ class Create:
                 "(Only for S3) Indicates that Polaris should not use STS (e.g. if STS is not available)"
             )
             PATH_STYLE_ACCESS = "(Only for S3) Whether to use path-style-access for S3"
+            KMS_KEY_CURRENT = (
+                "(Only for AWS S3) The AWS KMS key ARN to be used for encrypting new S3 data"
+            )
+            KMS_KEY_ALLOWED = (
+                "(Only for AWS S3) AWS KMS key ARN(s) that this catalog and its clients are allowed to use for reading S3 data (zero or more)"
+            )
 
             TENANT_ID = "(Required for Azure) A tenant ID to use when connecting to Azure Storage"
             MULTI_TENANT_APP_NAME = (
diff --git a/client/python/apache_polaris/cli/options/option_tree.py b/client/python/apache_polaris/cli/options/option_tree.py
index 3e93cceefd..bb56a275b7 100644
--- a/client/python/apache_polaris/cli/options/option_tree.py
+++ b/client/python/apache_polaris/cli/options/option_tree.py
@@ -124,6 +124,8 @@ def get_tree() -> List[Option]:
                     Argument(Arguments.STS_ENDPOINT, str, Hints.Catalogs.Create.STS_ENDPOINT),
                     Argument(Arguments.STS_UNAVAILABLE, bool, Hints.Catalogs.Create.STS_UNAVAILABLE),
                     Argument(Arguments.PATH_STYLE_ACCESS, bool, Hints.Catalogs.Create.PATH_STYLE_ACCESS),
+                    Argument(Arguments.KMS_KEY_CURRENT, str, Hints.Catalogs.Create.KMS_KEY_CURRENT),
+                    Argument(Arguments.KMS_KEY_ALLOWED, str, Hints.Catalogs.Create.KMS_KEY_ALLOWED, allow_repeats=True),
                     Argument(Arguments.ALLOWED_LOCATION, str, Hints.Catalogs.Create.ALLOWED_LOCATION,
                              allow_repeats=True),
                     Argument(Arguments.ROLE_ARN, str, Hints.Catalogs.Create.ROLE_ARN),
diff --git a/site/content/in-dev/unreleased/getting-started/creating-a-catalog/s3/_index.md b/site/content/in-dev/unreleased/getting-started/creating-a-catalog/s3/_index.md
index 73b5e6bcd8..c7bf3de57f 100644
--- a/site/content/in-dev/unreleased/getting-started/creating-a-catalog/s3/_index.md
+++ b/site/content/in-dev/unreleased/getting-started/creating-a-catalog/s3/_index.md
@@ -32,6 +32,8 @@ there are a few s3-only options:
 ```text
 --storage-type s3
 --role-arn  (Only for AWS S3) A role ARN to use when connecting to S3
+--current-kms-key  (Only for AWS S3) The AWS KMS key ARN to be used for encrypting new S3 data
+--allowed-kms-key  (Only for AWS S3) AWS KMS key ARN(s) that this catalog and its clients are allowed to use for reading S3 data (zero or more)
 --no-sts  (Only for S3) Indicates that Polaris should not use STS (e.g. if STS is not available)
 --region  (Only for S3) The region to use when connecting to S3
 --external-id  (Only for S3) The external ID to use when connecting to S3