diff --git a/API.md b/API.md
index a986522a..4fcc0201 100644
--- a/API.md
+++ b/API.md
@@ -3105,6 +3105,7 @@ const sopsSyncProps: SopsSyncProps = { ... }
 | <code><a href="#cdk-sops-secrets.SopsSyncProps.property.sopsS3Key">sopsS3Key</a></code> | <code>string</code> | If you want to pass the sops file via s3, you can specify the key inside the bucket you can use cfn parameter here Both, sopsS3Bucket and sopsS3Key have to be specified. |
 | <code><a href="#cdk-sops-secrets.SopsSyncProps.property.stringifyValues">stringifyValues</a></code> | <code>boolean</code> | Shall all values be flattened? |
 | <code><a href="#cdk-sops-secrets.SopsSyncProps.property.uploadType">uploadType</a></code> | <code><a href="#cdk-sops-secrets.UploadType">UploadType</a></code> | How should the secret be passed to the CustomResource? |
+| <code><a href="#cdk-sops-secrets.SopsSyncProps.property.assetEncryptionKey">assetEncryptionKey</a></code> | <code>aws-cdk-lib.aws_kms.IKey</code> | The encryption key used by the CDK default Asset S3 Bucket. |
 | <code><a href="#cdk-sops-secrets.SopsSyncProps.property.encryptionKey">encryptionKey</a></code> | <code>aws-cdk-lib.aws_kms.IKey</code> | The encryption key used for encrypting the ssm parameter if `parameterName` is set. |
 | <code><a href="#cdk-sops-secrets.SopsSyncProps.property.parameterNames">parameterNames</a></code> | <code>string[]</code> | The parameter names. |
 | <code><a href="#cdk-sops-secrets.SopsSyncProps.property.resourceType">resourceType</a></code> | <code><a href="#cdk-sops-secrets.ResourceType">ResourceType</a></code> | Will this Sync deploy a Secret or Parameter(s). |
@@ -3303,6 +3304,19 @@ How should the secret be passed to the CustomResource?
 
 ---
 
+##### `assetEncryptionKey`<sup>Optional</sup> <a name="assetEncryptionKey" id="cdk-sops-secrets.SopsSyncProps.property.assetEncryptionKey"></a>
+
+```typescript
+public readonly assetEncryptionKey: IKey;
+```
+
+- *Type:* aws-cdk-lib.aws_kms.IKey
+- *Default:* Trying to get the key using the CDK Bootstrap context.
+
+The encryption key used by the CDK default Asset S3 Bucket.
+
+---
+
 ##### `encryptionKey`<sup>Optional</sup> <a name="encryptionKey" id="cdk-sops-secrets.SopsSyncProps.property.encryptionKey"></a>
 
 ```typescript
diff --git a/src/SopsSync.ts b/src/SopsSync.ts
index 56556eb5..e5c42600 100644
--- a/src/SopsSync.ts
+++ b/src/SopsSync.ts
@@ -1,13 +1,13 @@
 import * as fs from 'fs';
 import * as path from 'path';
 import {
-  SecretValue,
-  Duration,
-  Lazy,
-  Stack,
   Annotations,
   CustomResource,
+  Duration,
   FileSystem,
+  Lazy,
+  SecretValue,
+  Stack,
 } from 'aws-cdk-lib';
 import { ISecurityGroup, IVpc, SubnetSelection } from 'aws-cdk-lib/aws-ec2';
 import {
@@ -17,7 +17,7 @@ import {
   PolicyStatement,
 } from 'aws-cdk-lib/aws-iam';
 import { IKey, Key } from 'aws-cdk-lib/aws-kms';
-import { SingletonFunction, Code, Runtime } from 'aws-cdk-lib/aws-lambda';
+import { Code, Runtime, SingletonFunction } from 'aws-cdk-lib/aws-lambda';
 import { Asset } from 'aws-cdk-lib/aws-s3-assets';
 import { ISecret } from 'aws-cdk-lib/aws-secretsmanager';
 import { Construct } from 'constructs';
@@ -158,6 +158,11 @@ export interface SopsSyncProps extends SopsSyncOptions {
    */
   readonly encryptionKey?: IKey;
 
+  /**
+   * The encryption key used by the CDK default Asset S3 Bucket.
+   * @default - Trying to get the key using the CDK Bootstrap context.
+   */
+  readonly assetEncryptionKey?: IKey;
   /**
    * Will this Sync deploy a Secret or Parameter(s)
    */
@@ -352,7 +357,12 @@ export class SopsSync extends Construct {
           role: provider.role,
           sopsFileContent: sopsFileContent.toString(),
         });
-        Permissions.assetBucket(this, sopsAsset, provider.role);
+        Permissions.assetBucket(
+          this,
+          sopsAsset,
+          provider.role,
+          props.assetEncryptionKey,
+        );
         Permissions.encryptionKey(props.encryptionKey, provider.role);
         Permissions.secret(props.secret, provider.role);
         Permissions.parameters(this, props.parameterNames, provider.role);
@@ -559,15 +569,32 @@ export namespace Permissions {
   /**
    * Grants the necessary permissions to read the given asset from S3.
    */
-  export function assetBucket(context: Construct, asset: Asset | undefined, target: IGrantable) {
+  export function assetBucket(
+    context: Construct,
+    asset: Asset | undefined,
+    target: IGrantable,
+    assetKey: IKey | undefined,
+  ) {
     if (asset === undefined) {
       return;
     }
-    const qualifier = context.node.tryGetContext('aws:cdk:qualifier') ?? 'hnb659fds';
-    Key.fromLookup(context, 'AssetBucketKey', {
-      aliasName: `alias/cdk-bootstrap/${qualifier}`,
-    }).grantEncrypt(target);
-
     asset.bucket.grantRead(target);
+
+    if (assetKey) {
+      assetKey.grantDecrypt(target);
+    } else {
+      try {
+        const qualifier =
+          Stack.of(context).synthesizer.bootstrapQualifier ?? 'hnb659fds'; // hnb659fds is the AWS global default qualifier
+        Key.fromLookup(context, 'AssetBucketKey', {
+          aliasName: `alias/cdk-bootstrap/${qualifier}`,
+        }).grantEncrypt(target);
+      } catch (error) {
+        Annotations.of(context).addWarningV2(
+          'no-asset-kms-key',
+          `An error occured while retreving the KMS-Key for the Asset S3-Bucket from CDK Bootstrap. Set encryption key manually by using props.assetEncryptionKey. ${error}`,
+        );
+      }
+    }
   }
 }