Yesterday I said KMS keys never leave the HSM. But what if you need to encrypt a 1GB file? You can't send 1GB to the KMS API for encryption — the KMS Encrypt API accepts only up to 4KB. Envelope encryption solves this paradox. The core idea: "encrypt data locally with a fast symmetric key, and encrypt only that data key with KMS." KMS needs to protect just one small key while the large data encryption happens on the local CPU.
Envelope encryption is a concept you must master for SCS-C03. S3 SSE-KMS, EBS, and RDS encryption all use this mechanism internally, and exams persistently ask "where and in what form is the data key stored?" and "what's the decryption sequence?"