The essence of encryption is not "making data unreadable" but "controlling the key." Data encrypted with AES-256 is meaningless bytes without the key, but anyone with the key sees the plaintext. Therefore, in cloud security, encryption discussions almost always reduce to key management — who creates the key, who uses it, and who audits that use. AWS Key Management Service (KMS) controls all three using IAM, key policies, and CloudTrail as a managed key management service.
The core KMS concept is the KMS key (formerly called CMK, Customer Master Key). This key never leaves the FIPS 140-2 validated HSM (Hardware Security Module) boundary inside KMS as plaintext