Using customer managed keys will give administrators control over how data is encrypted to better meet compliance regulations, as well as allow for a more specific key rotation period. Using system-generated keys can sometimes lead to expired or exposed keys remaining in use, leading to insecure data. It is often recommended to use a customer managed key when the service is available.
Once a storage volume has been created, the encryption key cannot be changed and a new volume will need to be created with the appropriate settings. For more information on the limitations of volume encryption, or for steps on creating the gateway and volume to suit your needs, see the AWS documentation.
In Terraform -
References:
https://docs.aws.amazon.com/storagegateway/latest/vgw/encryption.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/storagegateway_cached_iscsi_volume#kms_encrypted